A lot of very interesting research was presented at this year’s Chaos Computer Club meeting. One very interesting piece of research involved the mobile Symbian S60 operating system and a DOS vulnerability involving a maliciously (or unfortunately long legitimately) crafted SMS message. The original advisory released by Tobias Engel can be found here.
Executing the exploit is trivial and can be performed directly on most SMS capable mobile phones or SMS gateway services. The attacker simply creates an SMS message prefaced with an email address greater than or equal to 32 characters in length followed by a space (ex. “123456789@123456789.1234567890123 DOSed!”). After receiving the malicious message, the target’s phone’s SMS service will either die silently (preventing new messages from being received) or fail to receive new SMS messages after a certain number of malicious messages have been received. This is effectively an SMS DOS.
The problem would appear to be in the way that the S60 OS parses the prefaced email address of the received SMS message. There is a little used SMS standard (3GPP TS 23.040 section 3.8) for sending SMS messages to email targets and this parsing is likely related to the displaying of these messages. Typically when an error like this kills a service it could become a vector for a buffer overflow attack, but because of the hard message length limit on SMS messages, this is most likely not possible.
Symbian is a mobile operating system used mostly by Nokia phones (although some other manufacturers use Symbian; including Sony, and Motorola). According to the advisory any Symbian phone running the below software versions is vulnerable:
- S60 2nd Edition, Feature Pack 2 (S60 2.6)
- S60 2nd Edition, Feature Pack 3 (S60 2.8)
- S60 3rd Edition, initial release (S60 3.0)
- S60 3rd Edition, Feature Pack 1 (S60 3.1)
You can identify what phones have vulnerable versions by referencing the S60 product page.
The f-secure mobile security product is advertising protection for this exploit. Other than upgrading the operating system of a device (a process which must be vendor/provider supported) or disabling the SMS feature of your calling plan, a software solution appears to be the only way to mitigate this problem device.