Security

John Hering and Kevin Mahaffey of Flexilis demonstrate an SMS attack targeting a Windows Mobile phone.

(Credit: Elinor Mills/CNET News)

LAS VEGAS--In one of a handful of SMS-related presentations here at the Black Hat security show, researchers demonstrated on Thursday how they can force certain types of smartphones to visit a malicious URL or install an app without user approval.

The vulnerability only affects phones that have been misconfigured by the original equipment manufacturer so that they accept any message sent through WAP Push (Wireless Application Protocol), a service that runs on top of SMS, said researcher John Hering.

WAP Push messages should only be accepted when sent by a trusted party such as the mobile operator, said Hering, chief executive of Flexilis, which provides software for protecting mobile phones from attack.

The vulnerability spans all Windows Mobile devices including HTC, Motorola, and Samsung, he said. The phones that are vulnerable have been misconfigured and it's random which ones have the weakness.

Phone owners can test their phone to determine if they are affected by the issue. Hering and Kevin Mahaffey, Chief Technology Officer at Flexilis, are releasing a free tool that can be used to test whether a mobile phone is vulnerable, and if so fix the issue.

The researchers said they had not yet determined whether the iPhone or other devices were vulnerable. They said they have notified carriers, or Microsoft, and fixes are being worked on.

The attack works on GSM networks, the men said, adding that they had not yet tested it on CDMA networks.

The researchers built this device for testing for the vulnerability on multiple phones at once.

(Credit: Elinor Mills/CNET News)

The researchers have developed free, open-source software called "Fuzzit," which is designed to test the security of mobile devices and is geared towards mobile manufacturers, operators, and software developers. It will be released shortly. They also built a device that allows for the testing of multiple phones on different platforms at once for internal research and development.

Their session was just one of a handful that dealt with vulnerabilities on mobile phones and SMS, in particular.

In a presentation earlier in the day, Zane Lackey of ISEC Partners and independent researcher Luis Miras demonstrated how an attacker could spoof an MMS (multimedia messaging service) type of SMS message that appears to be sent from a trusted source and trick the recipient into visiting a malicious Web site.

Also on Thursday, Charlie Miller of Independent Security Evaluators and independent researcher Collin Mulliner demonstrated another type of attack in which they can take complete control over an iPhone merely by sending special SMS messages. They proved the attack the night before with a denial of service attack on my non-jailbroken iPhone, which runs OS 3.0.

Since SMS is available on so many devices and is always on--as long as the phone is turned on--it makes for an attractive target for attackers, according to researchers.

LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.

This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.

The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior consultant at ISEC Partners, and independent researcher Luis Miras.

Luis Miras and Zane Lackey prepare for their presentation on SMS spoofing at Black Hat.

(Credit: Elinor Mills/CNET)

They used a jailbroken iPhone for their demos of their proof-of-concept code that allows for bypassing carrier protections for SMS communications by sending specially crafted MMS messages.

SMS communications are used by carriers to do administration on the phone and contact customers. For example, voice mail notifications are often delivered over SMS, according to Lackey.

As a result, such admin messages are trusted by recipients, despite the fact that they typically do not reveal the source of the message and other details, they said. Spoofed messages could appear to come from any trusted company like a bank or PayPal.

"This is a carrier issue," Miras said. "We disclosed to them and they're working on a fix."

The researchers also have shared information with the GSM Alliance, which is providing details of the exploit to carriers, they said.

In one demo, they sent a victim a message that offered a $20 credit and included a link to a supposedly malicious site. In other demos the researchers sent a fake voice mail alert and sent an SMS that prompted the recipient to accept or decline unknown new phone settings.

If the recipient accepted the changes believing they were something routine from the carrier, an attacker could be using the permission granted to do something behind the scenes like route all the phone's Internet traffic through an attacker's server instead of a carrier server, which would allow the attacker to spy on all the communications.

The SMS exploits the researchers showed allow an attacker to "bypass the carrier spoofing protections" including anti-malware filtering, Lackey said. The attacks also could be used to find out what operating system a phone is running so that someone could launch an attack targeted for that software, he said.

Lackey and Miras released a tool called TAFT (There's an Attack For That) that automates the implementation flaws that have been fixed. It does not allow for the spoofing issues, which carriers still need to address, they said.

SMS attacks are getting easier because iPhones and Android devices are easily modified and because SMS functionality has been built at higher layers that provide full access to an attacker, said Lackey.

The researchers also said they uncovered an SMS implementation flaw that they exploited to temporarily crash the phone process of an Android phone so no calls or texts could be sent or received. Google fixed that flaw, they said.

They also discovered a flaw in a third-party iPhone app from SwirlySpace that interfered with the phone and texting capabilities and that too has been fixed, Miras said.

There isn't much someone can do to protect against these attacks except be wary of SMS messages in general, he said.

Researchers Collin Mulliner and Charlie Miller shortly before they proved they could attack my iPhone with a text message, even after a beer or two.

(Credit: Elinor Mills/CNET News)

LAS VEGAS--Researchers have discovered a way to take complete control over an iPhone merely by sending special SMS messages and demonstrated it on my iPhone at the Black Hat security conference on Wednesday.

Although an attacker could exploit the hole to make calls, steal data, send text messages, and do basically anything that I can do with my iPhone, the researchers were kind and merely rendered it temporarily inoperable.

Here's what happened: While I was talking on the phone to Charlie Miller, his partner, Collin Mulliner, sent me a text message from his phone. One minute I'm talking to Miller and the next minute my phone is dead, and this time it's not AT&T's fault. After a few seconds it came back to life, but I was not able to make or receive calls until I rebooted.

My iPhone is not jailbroken and it is running iPhone OS 3.0.

The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages, said Miller, a senior security researcher at Independent Security Evaluators.

There is no patch, despite the fact that Apple was notified of the problem about six weeks ago, he said. All current versions of the iPhone operating system are affected.

The attack is similar to an SMS attack demonstration CNET News wrote about in April in which mobile security firm Trust Digital was able to send an SMS to a phone that opened up a Web browser and directed the phone to a malicious Web site where malware could be downloaded.

In the more recent research, Android-based phones were found to be similarly susceptible to an SMS attack, only an attacker could temporarily knock the phone off the cell network but not take control, according to Mulliner, who's getting his PhD at the Technical University of Berlin. Google patched the hole last week within a day or two of being notified of the problem, he said.

Meanwhile, a bug in the code written by HTC that controls the user interface on Windows Mobile devices could also be exploited via the SMS messages to make it so there are no buttons to push so the phone can't be used, said Miller.

For the attack to work, an attacker must send hundreds of SMS control messages, which are different from regular SMS messages, according to Miller. Only the initial SMS may be seen, he said.

The researchers will demonstrate the attack on an Android phone and an iPhone during their presentation on Thursday.

Previous iPhone attacks required an attacker to lure the iPhone user to visit a malicious Web site or open a malicious file, but this attack requires no effort on the part of the user and requires only that an attacker have the victim's phone number, Miller said.

Once inside a victim's phone, the attacker could then send an SMS to anyone in the victim's address book and spread the attack from phone to phone, he said.

Previously, Miller discovered a hole in the mobile version of Safari shortly after the iPhone was launched in 2007 and earlier this year he won a contest at CanSecWest by exploiting a hole in Safari.

Asked what an iPhone user can do when attacked, Miller replied: "Rebooting wouldn't be a bad idea. It would stop all but the most sophisticated attacker. However, it doesn't take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again. That's why I think this is so serious."

Updated July 30 at 4:45 p.m. PDT to include that phone attacked was not jailbroken and was running iPhone OS 3.0, and at 8:18 a.m. with Miller talking about what a victim can do when attacked.

Cyber scammers are banking on the notion that many people who might not fall for a phishing scam via e-mail may still be easy targets through their mobile phone, according to security report released Tuesday from Cisco Systems.

Text message scams are on the rise, particularly fake messages that appear to come from a legitimate bank, said the report, which covers a wide variety of cybercrime topics.

In many of the scams, the SMS messages direct the recipient to call a telephone number where an automated message prompts the caller to provide log-in ID or account number and PIN. Other messages provide a URL that leads to a phishing site looks like a legitimate site.

Specific scams have targeted cell phone users in Fargo, N.D., along with customers of First Community Credit Union and Buffalo Metropolitan Federal Credit Union in New York and of BCT Federal Credit Union in New York and Pennsylvania, the report said.

"People are giving up information through the voice channel in a way they never would do through e-mail or the Web," said Patrick Peterson, Cisco's chief security researcher.

Meanwhile, cybercriminals are continuing to get more sophisticated and borrowing from real-world business models. For instance, researchers have come across a service called VirTest that will test malware and viruses against products from the major antivirus vendors for a fee, Peterson said.

I got my first SMS spam message last week and it infuriated me.

The mortgage-related text message was more than just a nuisance, like e-mail spam is. It also was a strong indication of how marketers have managed to invade every private communication space consumers have.

And it was frustrating that I didn't know what to do about it. Being an AT&T customer, I tried to register on AT&T's site figuring I could learn what to do and take action there. Unfortunately, it kept telling me that it didn't recognize my password, so I had to call customer support. The support representative directed me to a different URL where I was able to log in and she tried to walk me through the site to the place where I could set spam-blocking settings, but was unable to because of some technical issue on her end. So she just changed the settings for me.

I called the four major U.S. wireless carriers to find out exactly what they suggest their customers do when they get SMS spam. Here is what they said, along with some other basic questions and answers people may have about mobile spam.

AT&T
Customers can block text messages or calls from a specific phone number on its Web site here, as well as restrict the sources of e-mail that reach your phone on this site. Customers can also reply to text messages by typing in "BLOCK" or "STOP" to prevent future messages from that sender, and call a customer service representative if further help is needed, said AT&T spokesman Mark Siegel.

Sprint
Sprint wants customers to call customer service to report all spam messages so the company can modify its spam-filtering technology to block the phone numbers that are sending it, said Sprint spokesman John Taylor. Customers should not reply to the messages, otherwise it verifies to the spammer that the phone number is valid, he said.

T-Mobile
Postpaid and FlexPay customers can create their own filters and block chargeable text messages, MMS (multi-media service) messages, instant messages, and e-mail from being sent to their phones by calling customer service, spokeswoman Cara Walker said.

Verizon
Customers can log into the site and sign up for Usage Controls ($4.99 a month) that allow them to block certain numbers from calling or sending text messages to the phone. And if customers text only with a few people they can create an alias address here for free and receive only text messages sent to that address, said Verizon spokeswoman Debra Lewis.

Verizon has filed eight to 10 lawsuits against SMS spammers over the past four to five years, and 20 lawsuits altogether involving telemarketers, she said.

What can I do to prevent unsolicited phone calls to my mobile phone?
To block spam phone calls, customers should register their mobile numbers with the U.S. Federal Trade Commission's Do Not Call Registry.

What are the carriers doing to block spam?
The mobile service providers said they are using antispam filters and antivirus technology to protect against the different types of mobile spam. They did not want to go into too much detail as to what technologies they are using.

Why am I getting spam?
Some people may be inadvertently opting in to receive text messages when they sign up for other services with merchants. Many free ringtone download sites are used to harvest mobile numbers. Spammers also use auto-dialers that randomly generate numbers or try them sequentially. Because mobile phone numbers do not appear in public directories people should be careful who they share their numbers with. Be wary of sites that promise to remove numbers from spam lists because they are often set up to collect the numbers instead. Also, read terms and conditions of sites and services carefully before giving out a mobile number.

Do I get charged for spam messages?
In general, consumers will not be charged for spam text messages and can get a credit if they report it to the company, on a case-by-case basis.

Is spam illegal?
While Verizon is suing companies for violating the federal Telephone Consumer Protection Act, which makes it illegal to use an auto-dialer to make calls to wireless phones, there is no explicit measure outlawing SMS spam, yet. Measures in the U.S. House of Representatives and Senate were introduced this year to rectify that. The m-SPAM Act, introduced by Sens. Olympia Snowe, a Maine Republican, and Bill Nelson, a Democrat from Florida, would expand the regulatory authority of the Federal Communications Commission and the FTC to intervene against SMS spammers and would explicitly bar marketers from sending text messages to any mobile number in the national Do Not Call registry. A similar measure was introduced by Rep. Phil Gingrey, a Georgia Democrat, in March after his antispam effort last year failed.

How big a problem is this?
While people in the U.S. might receive two SMS spam messages a year, things are worse in other countries like Europe where one a week is typical; India where people receive as many as two per day; and China where it's more like five to 10 each day, according to Ferris Research. Last year, Ferris Research estimated that wireless users in the U.S. received more than 1.1 billion spam text messages in 2007, up 38 percent from 2006.

A security researcher said on Thursday that he hopes that Apple has a fix later this month for what he believes could be a vulnerability in the iPhone that could allow an attacker to gain control of the device remotely via SMS, according to IDG News Service.

An attacker could exploit a possible weakness in the way iPhones handle SMS (short message service) messages to do things like use GPS to track the phone's location, turn on the microphone for eavesdropping, or take control of the device and add it to a botnet, Charlie Miller, co-author of The Mac Hacker's Handbook and principal security analyst at Independent Security Evaluators, said in a presentation at the SyScan conference in Singapore.

Miller said he plans to give a more detailed presentation on the hole at the Black Hat conference in Las Vegas at the end of the month.

Despite the SMS hole, which "could be a critical vulnerability," the iPhone is more secure than OS X on computers, Miller said. That is because the iPhone doesn't support Adobe Flash and Java, only runs software digitally signed by Apple, includes hardware protection for data stored in memory, and runs applications in a sandbox, he said.

Apple representatives did not immediately respond to an e-mail request for comment.

Correction at 8:45 p.m. PDT July 29:This post was updated to correct that the researcher said he hopes Apple will fix the flaw, not that it will.

Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.

In the Trust Digital demo on YouTube, an attacker sends an SMS message to the victim phone (on the left) which opens up a Web browser and downloads an executable file that directs it to send an SMS to the attacker's phone (on the right).

(Credit: Trust Digital)

In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.

Dearing demonstrates how this can be done in a video on YouTube.

In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information. This attack is explained in another YouTube video.

While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.

"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0, and 3.1 devices are not able to receive any more SMS or MMS messages. The S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia representative told CNET News sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the representative. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."

Products running S60 3rd edition, feature pack 2, are unaffected, said the representative, who added that the issue can be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the representative.

F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday the security vendor said the vulnerability will "most likely be used by jealous boyfriends," but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.

Tom Espiner of ZDNet UK reported from London.