January 2, 2009 4:33 PM PST

'Curse of silence' smartphone flaw disclosed

by Tom Espiner
  • Font size
  • Print
  • 10 comments

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the "curse of silence" by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed e-mail message via SMS (Short Message Service). Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an e-mail address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0, and 3.1 devices are not able to receive any more SMS or MMS messages. The S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia representative told CNET News sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the representative. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."

Products running S60 3rd edition, feature pack 2, are unaffected, said the representative, who added that the issue can be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the representative.

F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday the security vendor said the vulnerability will "most likely be used by jealous boyfriends," but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.

Tom Espiner of ZDNet UK reported from London.

Topics:

Vulnerabilities & attacks

Tags:

Nokia S60,

SMS messages,

curse of silence,

Symbian

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Q&A: Researcher Karsten Nohl on mobile eavesdropping
RockYou sued over data breach
Hacker Gonzalez pleads guilty in Heartland breach
Microsoft rebuts IIS vulnerability claims
More attacks expected on Facebook, Twitter in 2010
GSM crypto code cracked, engineer says
Web-based Lookout protects mobile devices, data
Hackers claim to crack Kindle copyright armor
Related
Nokia to reduce smartphone offering by half in 2010
Nokia to close its two U.S. flagship stores
Report: FBI investigating Citibank cyberattack
Using Facebook and Twitter safely
First Mobile Firefox enters home stretch
Web-based Lookout protects mobile devices, data
Google ponders risky Android solo act
CES preview: Cell phones
Add a Comment (Log in or register) (10 Comments)
  • prev
  • 1
  • next
by JohnLudlow January 2, 2009 9:02 PM PST
Is it just me or is there a missing question here: How can a denial of service attack target a specific type of client device? A DOS attack targets a centralised service such as a website or email server.

After reading the article it seems that the attack is actually a virus or malware message of some sort, not a DOS attack.

I wonder if lots of MAC and Linux viruses are being mis-labelled as other types of attack...?
Reply to this comment
by ralfthedog January 3, 2009 9:01 AM PST
It is not a virus or any other form of malware. It is a buffer overflow causing the user not to be able to use the service.
by Penguinisto January 3, 2009 10:05 AM PST
It is a DOS attack because the worst it can do is to deny you a service (SMS). It does not take over a phone, nor does it destroy data or alter the phone's contents.
by Philips January 2, 2009 9:05 PM PST
"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue"

That's stupid. This is plain bug. **** and fix it.
Reply to this comment
by timber2005 January 2, 2009 9:38 PM PST
...and people thought the Zune 30 end of leap year crash was bad...
an email address of >32 characters?
Reply to this comment
by lordmorgul January 2, 2009 9:58 PM PST
Probably originating from some developer that misinterpreted some of the email related RFCs... and figured 32 characters was as big as it should ever need.
by Penguinisto January 3, 2009 10:07 AM PST
Wrong-O, my dear MSFT cheerleader - this one doesn't brick your phone like the Zune bug did. The Zune crash was worse - it bricked your Zune, and it affected nearly everyone without any malicious interaction required.

Unless you live in Europe (where SMS is common), I doubt you would even notice if you had it or not.
by D3vildog699 January 4, 2009 10:49 AM PST
Unless you live in Europe (where SMS is common)...


Cause its not common in the states? Thats all i use to communicate.. same with all of my friends.
by ducttape36 January 6, 2009 9:52 AM PST
my zune 30 isnt bricked. its working fine. as is everyone elses.
by 3rdalbum January 3, 2009 5:45 PM PST
The fix is easy. So fix it.
Reply to this comment
(10 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET