Nokia phones vulnerable to DoS attack

A vulnerability in the software used by Nokia's 6210 model cellular telephone could make those phones vulnerable to a denial of service (DoS) attack, similar to the types of attacks that are commonly launched against computer networks.

The vulnerability exists in code that handles the processing of vCards, virtual business cards that can be transmitted from one cell phone user to another using the popular Short Message Service (SMS), according to the advisory posted by Cambridge, Mass.-based security company @stake.

Nokia 6210 phones running software version 05.27 or higher are affected, according to a statement by Nokia in response to the @stake advisory.

VCards are commonly used to transmit contact information from one user to the next. Depending on the phone models used, they can be transmitted using either infrared or SMS, though the vulnerability discovered by @stake did not affect infrared transmission, according to Ollie Whitehouse, director of security architecture at @stake and author of the advisory.

Once received, vCard data can be saved in the recipient's phone directory and transferred to another contact management software such as Microsoft's Outlook or IBM's Lotus Notes products, Whitehouse said.

An attacker could crash the Nokia phone by creating a vCard that was too large to be contained within a single SMS message and that contained fields with a large numbers of format string characters. When the targeted Nokia phone received the last part of the malformed, multipart vCard, it would produce a buffer overflow on the phone's software, causing the phone to crash.

When crashing, the 6210 phones might unexpectedly restart, lock up, or stop handling SMS messages, according to Whitehouse.

To recover from the attack, the phone's user would need to take out the phone's battery, then restore it. The phone's software, memory or stored data are not affected by the buffer overflow attack.

Although not exploitable by casual cell phone users, the vulnerability would be easy for a moderately technical user to take advantage of using software available on the Internet, according to Whitehouse.

Though not a critical vulnerability, the flaw discovered by @stake points to the need for closer scrutiny of the software code that runs on so-called "embedded" devices such as cellular telephones and  PDAs (personal digital assistants), according to Whitehouse.

Companies that write software for those devices are not taking up the banner of security as readily as are makers of software for computer desktops, Whitehouse said.

And, while the relative obscurity of cell phone platforms and the tools to exploit them keeps the number of attacks low, things might not stay that way. The widespread deployment of cell phones and PDAs with vulnerable software will be fertile ground for hackers, Whitehouse said.

While 6210 users can do nothing to prevent against an attack using this vulnerability, cell phone operators should consider deploying SMS proxies to sniff out and stop malformed messages, Whitehouse said.