We've looked before at apps that hijack smartphones, and malware that attacks iPhones or Androids, but did you know that only 16% of mobile phones are smartphones? The other 5 billion are "low end" basic phones, also called feature phones that can perform only a few other tasks like send text messages, play games, or play back MP3s. Just in case those 5 billion users felt left out when comes to the ability for their cell phone to be attacked, researchers from the Berlin Institute of Technology have come up with "SMS-o-Death."
Although feature phones are harder to attack, two students found a way to send malicious text messages via short message service (SMS) and force cell phones to shut down. Collin Mulliner and Nico Golde, from the Security in Telecommunications department at the Technische Universitaet Berlin, took advantage of SMS protocol that can transmit small programs called binaries that are most often used by network operators to change setting remotely on mobile devices. These researchers were able to create malicious SMS messages for all popular feature phones such as Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax. The attack could abruptly shut down cell phones and knock them off a cellular network.
Technology Review reported that because feature phones are so common, Mulliner says, such an attack "could take out a large percentage of mobile communications." To target a specific victim, an attacker would need to know the make and model of the victim's mobile phone -- since each platform requires a different malicious binary message. Mulliner says that attackers could get around that and "easily knock out large numbers of phones by sending a set of five SMS messages -- targeted to the five most popular models -- to every device on a specific network."
There's not much that can be done to thwart these attacks. Mulliner said, "The only people who can defend against this attack are the network operators." It require non-smartphone owners to update firmware on existing phones. Many feature phone owners either don't know how to update via USB or fear the update will be buggy. Another approach might be filtering out the text messages, but filtering software is most commonly used to catch spam and is not optimized to catch binaries.
Charlie Miller, a security researcher who is well known as "I'm that Apple 0day guy," has discovered security flaws in iPhones and other mobile devices. "Smart phones are sexier targets, but the masses still by and large use feature phones," Miller said. Because most cell phones are feature phones, the SMS-o-Death could affect billions of people, yet be unlikely or very difficult for attackers to steal personal information. SMS vulnerabilities in iPhones and Windows Mobile-based HTC devices allow attackers to steal personal info and take over phones, Miller added, citing research he and Mulliner had conducted a few years ago.
SMS-o-Death does not permanently kill a mobile phone, but the problem could prove very difficult to fix and its tricks could exasperate targeted people to no end. It adds up to be a very annoying prank by shutting off the phone without the owner's knowledge or knocking the phone off the cellular network .
This story, "Text Message of Death Threatens Phones " was originally published by Computerworld.