SMS messages could be used to hijack a phone

Be careful who you give your mobile phone number out to. An attacker with the right toolkits and skill could hijack your phone remotely just by sending SMS messages to it, according to mobile security firm Trust Digital.

In the Trust Digital demo on YouTube, an attacker sends an SMS message to the victim phone (on the left) which opens up a Web browser and downloads an executable file that directs it to send an SMS to the attacker's phone (on the right).

(Credit: Trust Digital)

In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep, an attacker could send a text message to a phone that would automatically start up a Web browser and direct the phone to a malicious Web site, said Dan Dearing, vice president of marketing at Trust Digital. The Web site could then download an executable file on the mobile phone that steals data off the phone, he said.

Dearing demonstrates how this can be done in a video on YouTube.

In another type of attack, an attacker could hijack a phone by sending a type of SMS message called a control message over the GSM network to a victim's phone that is using a Wi-Fi network and then use special toolkits to sniff the Wifi traffic looking for the victim's e-mail log-in information. This attack is explained in another YouTube video.

While the attacks at this point are proof-of-concepts, they could be done if someone has the requisite knowledge and toolkits, said Dearing. Trust Digital recently announced software called EMM 8.0 that can help organizations protect employee phones from these types of attacks, he said.

"This is a completely real threat," said Philippe Winthrop, a director in the global wireless practice at Strategy Analytics. "We will see these attacks. It's a matter of time."

[LandMineHare]

Are any of Microsoft's operating systems safe?

[dcmichie]

Hahahaha! Good one!

[TheDrumThumper]

Nope. Computers are much like safes--all it takes is enough time to crack it.

[Angmarr]

LOL I like how its always been apple that gets hacked FIRST in in competitions!

[ibeetle]

@Angmarr
No Apple has never been hacked... ever in any competition. Look at the way these competitions are run. When it comes to Apples suddenly the the rules are changed. In the last competition it was widely reported that the Apple was hacked in 20 minutes. When did 3 days become 20 minutes? After 3 days of trying the Apple was the only computer that was still secure. The Lixux box was cracked in 12 hours the Windows computer was cracked in 15. In order for the Apple to be cracked the rules of the contest had to be changed, and the keys to the encryption had to be reveled as well as the DNS codes. Thats like giving a person 3 days with lock picks only having to tell them the key is really under the mat. Then lift up the mat for them.

[monkeyfun14]

@ibeetle
You have it all wrong
@parent commenter
No one said this was a WinMo only exploit.

[Vegaman_Dan]

@ibeetle:

You really need to check your facts and keep up with the news. Yes, the Apple products were hacked. You can try to explain it away however you wish and deny reality, but the results are still the same- they got hacked.

Big freaking deal. Get over it.

Geez.

[LordSnotrag]

Hey ibeetle:

http://news.cnet.com/8301-13579_3-9905095-37.html?tag=mncol;txt

http://news.cnet.com/8301-1009_3-10199652-83.html?tag=newsEditorsPicksArea.0

When did 2 min [for one hack] or 10 seconds [for the other] become 3 days? And I didn't notice anyone "leaving the key under the mat" for this guy.

[ikramerica--2008]

No, just opening a door for a stranger... ;)

[n3td3v]

The security industry is getting overly excited about virtualisation security that they were distracted from the real threat: mobile security.

[chabig83]

Shouldn't this article be titled, "SMS messages could be used to hijack Windows phones"?

[webmastercorey]

Yes

[ibeetle]

When it comes to internet security it is always the same argument:
1) Well, no network is really secure no matter the OS.
2) It is all Apples fault
3) If 1 and 2 fail stick fingers in ears and go lalalalallalalala

[JCPayne]

Not necc... Some mobile phones that aren't Windows Mobile might automatically allow addresses to be "pushed" via SMS... I think Sony Ericson's can also auto load a browser window too by a URL pushed via SMS. On my Z710u if you goto the text message area, then click on "Settings", and then "Push". The options are there which say "Allow push message: "Always", "Always Ask" or "Never."

[Vegaman_Dan]

That could be one title- it would be wrong, but it is one possible title.

Considering the methods used apply to Windows Mobile, Blackberry, Palm and... yes, the iPhone, then it really a cross platform method.

It's a demonstration of the technique which is cross platform.

[sharmajunior]

I believe this kind of an attack was first reported to be demoed on a Nokia. That is a symbian, winmo OS. As a matter of fact any phone can be hacked and controlled remotely of the hacker has the right tookits and knowledge about the type of phone being used. All that is required is a SMS message being sent to you. The bad thing is you pay for receiving the message and you get hacked.

[rrod182]

iPhone does not support WAP. Therefore it's not vulnerable to this. iPhones will display a URL, but its a 2-click process to open it. Other phones might support WAP PUSH, but its still up to the carrier and user to decide if they want to support SL (Service Loading), otherwise WAP messages just go into the inbox and require user interaction to do anything. On top of this, it's platform dependent whether the browser will execute unauthorized code, I.E. has always been terrible with this.

[Suny Buffalo]

I am surprised by such tactics, since my understanding of SMS, as described by wikipedia, as "Text Messenger." It's like Notepad, you can't place a hyperlink, nor can you execute an application within SMS. Therefore, unless I am mistaken, these newer SMS found in such devices as iPhones, BlackBerry, etc.., contain new formats that allow embedding, like hypertext, or downloading/execution of an application. In all cases, this still requires the user to "Interact", thereby, the question will be: why would you click on a hyperlink or any file within this message, from someone you don't know or know you would never receive onto your phone??
It baffles me. I use the phone for calling, and I text only when I know that that individual is at work and cannot be disturbed, at times, I leave a message. Easy, and simple.
What gets me about this story is the fact that it said, "In what it calls a "Midnight Raid Attack" because it would be most effective when a victim is asleep..." Wait a minute, isn't the phone turned OFF!! and charging? Then it says, "automatically start up a Web browser.." Let me get this straight, your phone turns ON!! automatically?? Be for real! First of all, when you turn on your phone, the first thing you'll see is a pop up telling you that you received a call (in missed call) then that you have a text message, and if you want to view it. Nowhere, does it say you want to connect to the internet, unless, you yourself have "clicked" an assigned button to connect. So, unless I am mistaken and these newer phones seem like an AI kind of phone that do all the clicking for you then i am still living the dinosaur age with a simple and easy phone with no "frills" (although I do have web capable, i do not use it).
As a word of caution, read what it says on you display before you click or answer, it may save you from saying, "****! What have I done!"

[LisaSim]

First, this is the first time hear that someone turns his phone off when he goes to sleep. Second, you r mistaken about having to click on the phone to connect to the internet, sending the right SMS will do it automatically. this is part of the protocol and very few phones block it. If you read the second part of the article you could see that even this block could be unblocked by sending a control message that changes the setings

[JCPayne]

The only safe computer is one that you disconnect from any phone jacks... Disconnect it from all ethernet and other connections (firewire, USB, etc.), disable any bluetooth and then unplug the power and set it somewhere off in the corner of your room... Even than you better hope your hard drives have been encrypted because if someone steals those, you'd be back to square one all over again.

[professionaladventurer]

So why do you have your phone set to open IE from a SMS and go to a URL? Mine doesn't do this, is there some way to turn this feature on? I would guess you programed your phone to launch automatically a web browser.

[LisaSim]

Some phones just comes this way from the carrier. but, the more scary is the second part shown in the article and by that you could turn on/off settings, like the IE from SMS.

[baharizan]

this is for SMS or WAP PUSH messages....?as i know wap push messages only active on click.

[LisaSim]

wrong, see my previous comment

[monkeyfun14]

The author needs to clarify this is for all phones just showing 2 Windows Mobile phones and not saying anything is just a bad way to get people riled up.

[Michichael]

Old story. This vulnerability popped up in java based phones first. Just an FYI...

[LisaSim]

Only the Wap Push part not the setting changes part (control messages), you should read articles to the end :)

[Raschelle]

"by LisaSim April 20, 2009 1:56 PM PDT
First, this is the first time hear that someone turns his phone off when he goes to sleep."

I turn my cell phone off when I go to sleep. Heck, I usually turn it off the minute I get home from work! I'll venture a guess that the people that leave their phones on at night probably don't have landlines or have a real need to be reached by cell in the middle of the night (instead of a landline).

I love technology, but sometimes the security issues get to be a real headache. Oh well, gotta take the bad with the good, right? ;-)

[DiJac]

SMS........... What is it?

[harh1972]

This reporting is not responsible. I can write code to do bad things on ANY machine. If I ask you to let that code on to your machine - you're done. The reporting makes it sound like we will starting getting sms attacking our phone. Simply not true.