Smartphones vulnerable to SMS-launched attacks warn researchers

01 Aug 2009

Black Hat Researchers have identified a number of vulnerabilities in smart phones made by various vendors that allow an attacker to execute malicious code without being triggered by any action on the vitctim's part. The phones tested included Apple's iPhone.

SmartphoneThe bug can take over control of the device simply with an SMS or short message service message according to the researchers.

The researchers had first indentified the vulnerability three weeks ago, but at that time the extent of the damage it could cause had not been fully assessed. However, with more time researchers analysing the bug say they are now confident of being able to remotely hijack devices by doing little more sending a malformed SMS message.

The bug is located in CommCenter, a service that coordinates SMS,wireless and other functions in the iPhone and by default runs as  root not limited by an application sandbox. This makes it an ideal vector for gaining control of the device and, to boot, the messages are delivered automatically and often are not easy for users to block.

The attack is launched lobbing off the last byte or two from UDH or user data header contained in the message, something that is not very difficult to do.

The discovery comes as a result of an extensive fuzzing endeavor that the researchers carried out in the last few months and outlined during a talk at the Black Hat security conference in Las Vegas. The exercise saw more than 500,000 smart phones running operating systems made by Apple, Google and Microsoft bombarded with especially manipulated SMS messages to see how they reacted. To save the researchers the fees charge by phone carriers they created a  special channel between the devices' application processor and modem to bypass the network.
 
The researchers also discovered several bugs that can cause smart phones running Google's
Android and Microsoft's Windows Mobile operating systems to crash. As SMS messages are stored on carrier servers until the recipient is online, hackers are able to launch long-lasting denial-of-service attacks lining up a huge number of malformed SMS messages.