Attackers can force mobile phones to send premium-rate SMS messages or prevent them from receiving messages for long periods of time by leveraging a logic flaw in mobile telecommunication standards.
The flaw was discovered by independent security researcher Bogdan Alecu, who demonstrated how it can be exploited at the DefCamp security conference in Romania on Saturday.
[ Learn about consumerization of IT in person March 4-6, 2012, at IDG's CITE conference in San Francisco. | Get expert advice about planning and implementing your BYOD strategy with InfoWorld's 29-page "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]
Alecu exploited the way mobile devices process text messages intended for special applications called SIM Toolkits, which he said are preloaded on SIM cards by over 90 percent of mobile operators.
The applications can perform actions that include checking credit or voice mail, calling emergency numbers or customer support, and even performing mobile banking, and typically appear on the phones as a menu or application bearing the operator's name.
SIM Toolkits can receive commands through specially-formatted SMS messages, but in order for these commands to be executed successfully, the message headers must contain a valid digital signature.
The vast majority of mobile phones don't display any notification when they receive SIM Toolkit messages, he said. Some wake from their sleep state, but no message is visible in the inbox and there's no other indication that a message was received.
The encryption used to verify message authenticity is pretty solid and can't be cracked, Alecu said. Instead, his attacks rely on phones automatically returning error messages rather than executing legitimate commands.
Error replies are sent automatically. Users of some phones might see a message is being sent, but they can't usually stop it.
Alecu tested his exploits on phones from various manufacturers. Only devices from Nokia have an option to ask phone owners to confirm sending a SIM Toolkit response. The option, "Confirm SIM Service Actions," is usually off by default, especially on phones configured by operators.
He tested phones from High Tech Computer (HTC) and Samsung Electronics running stock Android firmware, and an LG Optimus One with CyanogenMod, a community-built version of the popular mobile operating system. None of them displayed a notification when sending SIM Toolkit responses, and he found no option to block responses.
BlackBerry devices presented a similar behavior, he said.
Windows Mobile 6.x devices and iPhones notified users a message was being sent, but offered no way to stop it. Alecu hadn't yet tested a Windows Phone 7 device.
The sender of a SIM Toolkit service message can request that the phone reply via SMS either directly to the sender's number, or to the operator's message center, according to Alecu.
Those two options give rise to two different attack scenarios, he said.