Hacker hijacks SMS error message
flaw
Cybercrooks may be able to force
mobiles to send premium-rate SMS
messages or prevent them from
receiving messages due to security
weaknesses in mobile telecoms
standards.
The weakness involves the handling of
messages directed towards SIM
Application Toolkits, applications
preloaded onto SIM cards by mobile
operators. The applications can be
used for functions such as displaying
available credit or checking voicemail,
as well as handling value- added
services, such as micro-payments.
SIM Toolkits receive commands via
specially formatted and digitally signed
SMS messages. These messages are
processed without appearing in a
user's inbox and without triggering
any other form of alert. Some mobiles
may wake from a sleeping state on
receipt of such messages but that is
about all that's likely to happen.
The encryption scheme deployed is
robust but problems might arise
because error messages are
automatically sent out if a command
cannot be executed. The SIM Toolkit
service message can be configured so
that responses are made via SMS to a
sender's number or to the operator's
message centre. This creates two
possible attack scenarios.
In the first case, an attacker might use
an SMS spoofing service to force the
dispatch of an error message to a
premium-rate number, potentially
ringing up fraudulent charges against
the account of a targeted phone
owner in the process.
Attackers can't control the content of
the automatic error responses, a
potential stumbling block when it
comes to signing up people up for
these services simply because they've
sent a message, but it's easy to
imagine this tactic will be effective
enough times to make it potentially
workable. A premium-rate number is
restricted to signing up people to its
services only in response to properly
formatted requests rather than an any
old message.
In the second case, an SIM Toolkit
error message is sent to the
operator's message centre, and this is
interpreted as a message delivery
failure. Operators usually attempt to
resend the undelivered message:
creating an error loop that prevents
the delivery of legitimate SMS
messages to a user's handset until a
bogus SIM Toolkit message times out,
typically after 24 hours or so. Because
of this, sending a series of bogus SIM
Toolkit messages creates a means of
running an SMS DoS attack.
Independent security researcher
Bogdan Alecu gave a presentation
explaining the security shortcoming,
and demonstrating how it might be
exploited, at a recent DeepSec security
conference in Vienna, Austria.
Alecu tested the attack against phones
from Samsung, Nokia, HTC, RIM and
Apple. Only phones from Nokia have
the option to ask users before
confirming the dispatch of an SIM
Toolkit response. However the the
option "Confirm SIM Service Actions"
is usually disabled by default.
Operators could mitigate the attack by
filtering SIM Toolkit messages and
whitelisting numbers that are allowed
to send them. However Alecu said he
is yet to encounter an operator that
applies such controls, even after
testing the attack on mobile operators
in Romania, Bulgaria, Austria,
Germany and France, IDG reports .
The vulnerability was reported by
Alecu to the Computer Emergency
Response Team and a vulnerability
number has been allocated but there
are no details on when a fix might be
produced. Alecu said that the issue is
more easily addressed by filtering by
operators than by trying to update
millions of handsets anyway.
No comments:
Post a Comment