For the reply-to-sender option (SMS-Submit), an attacker could force the sending of the error message to a premium-rate number using an SMS spoofing service. SMS spoofing is the practice of changing the originating number of a text message to anything the sender desires. This can have legitimate as well as malicious purposes, and there are many online services that provide the feature for a small fee.
Some mobile operators have strict rules on setting up premium-rate numbers. Applicants might be asked to prove that they are a registered business and provide information about how the number will be used.
Restrictions can also be placed on the text strings that a message must contain in order for the sender to be charged, which would limit this attack because the attacker can't control the content of the automatic response.
However, the number and diversity of existing SMS scams is proof that obtaining a premium-rate number is not that difficult.
If the second option (SMS-Deliver-Report) is used, the error is sent to the operator's message center where it is interpreted as a message delivery failure.
When messages can't be delivered, because a phone is turned off or outside the service area, operators usually attempt to resend the undelivered message every few minutes for a predefined period of time. When this happens, all subsequent messages intended for that number are placed in a queue to be delivered when the phone re-joins the network.
Because receiving a bogus SIM Tookit message will always result in an error response, a loop is created between the message center and the phone, preventing the subscriber from receiving legitimate messages.
This denial-of-service (DoS) condition is not permanent and after a while, typically 24 hours, the undelivered message is automatically discarded. However, if an attacker were to send seven bogus SIM Toolkit messages one after the other, the message center would attempt to deliver each of them for 24 hours, resulting in a week of SMS DoS.
Alecu demonstrated the attacks on SIM cards from multiple operators in Romania, Bulgaria, Austria, Germany and France. However, since the attacks exploit a logic flaw in the GSM standard and later mobile standards, he believes that the majority of operators that use SIM Toolkits are affected.
Mitigating the attack is possible at both operator and device level. Operators can filter SIM Toolkit messages and restrict which numbers are allowed to send them. This would be an elegant solution, but Alecu has yet to find an operator that implemented it.
Phone manufacturers could enforce confirmation for SIM actions from their software. However, this fix will probably not be as effective as message filtering at operator level, Alecu said. Firmware updates are not always easy to install, especially on older phones. Performing a firmware upgrade in the wrong way can render devices unusable and many affected phones might not even be supported anymore.
The U.S. Computer Emergency Readiness Team (US-CERT) was notified of the problem in August 2010, and was asked to coordinate the disclosure process, Alecu said. He said Research In Motion (RIM) has contacted him and is working on a fix.
"We are aware of the claims and are investigating them," Nokia spokesman Tomi Kuuppelomäki said. Samsung, HTC, RIM and Apple did not return a request for comment.