Curse of Silence exploit curses S60 handsets… with silence

Can you imagine the response at the F-Secure offices? Woweeee, people might finally have a reason to buy our S60 app! A group in Germany by the name of Chaos Computer Club has discovered a pretty major vulnerability in the S60 OS that allows an attacker to disable incoming SMS ans MMS on a remote device. The exploit, a DoS attack of sorts, is very simple to take advantage of and for the time being, the only way to block an attack would be to have an SMS-blocking application installed and set to only accept messages from a white list. Here’s how the exploit works in a nutshell:

Emails can be sent via SMS by setting the messages Protocol Identifier to “Internet Electronic Mail” and formatting the message like this:

[email-address][space][message body]

If such messages contain an with more than 32 characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after only one message, 2.8 and 3.1 devices after 11 messages.

Yep, it’s that easy. Chaos Computer Club is not a malicious group and as such, it had brought the Curse of Silence to the attention of Nokia and GSM carriers long before the internet caught wind of it. We’re still waiting for word on whether or not the issue has been addressed by either Nokia (through recent firmware updates) or by various carriers (by blocking messages with the COS formatting). We can tell you one thing though, we’re not testing it on our handsets!

[Via Unwired View]

Read

blog comments powered by Disqus