Security Vendors Ready Fix for 'Curse of Silence' SMS Attack

A single malformed text message can prevent some Nokia Corp. smart phones from receiving further messages via Short Messaging Service

A single malformed text message can prevent some Nokia Corp. smart phones from receiving further messages via Short Messaging Service (SMS) -- and the offending message can be sent from almost any Nokia phone, even non-smart-phone models, a German security researcher demonstrated Tuesday.

At least one security software vendor has already released software to protect against the denial-of-service attack, dubbed the "Curse of Silence" by the researcher who demonstrated it at the Chaos Communications Congress in Berlin, organized by Germany's Chaos Computer Club (CCC).

CCC member Tobias Engel showed how smart phones running Versions 2.6 through 3.1 of Nokia's Series 60 software running on Symbian OS are unable to receive further messages by SMS or MMS (Multimedia Messaging Service) after receiving malformed text messages. Versions 2.8 and 3.1 of the software will warn of memory problems after one malformed message, and they will silently fail after receiving 11 such messages, he said.

The problem is worse for phones running Versions 2.6 and 3.0 of the software: They will silently fail after receiving a single malformed message, he said.

The phone must be factory-reset to resolve the problem and allow it to receive text messages once again, Engel said.

Sony Ericsson Mobile Communications AB phones running UIQ software on top of Symbian OS are also vulnerable, security software vendor F-Secure Corp. warned Wednesday.

The simplicity of the attack -- which can be launched from almost any Nokia phone, including older non-smart-phone models, with the option to send an SMS text message as "Internet Electronic Mail" -- makes it likely that people will try it just to see what happens, F-Secure said. The attack's nuisance value is increased because mobile phone networks also send notifications of new voice mail by SMS, so an attacked phone may stop advising of new voice messages too, the company warned.

F-Secure said it has developed a fix that can protect vulnerable phones from malformed messages as part of its F-Secure Mobile Security software for smart phones.

Engel suggested a different approach to protecting phones, proposing that network operators deal with the problem by filtering out the malformed messages as they pass through their SMS servers.

Join the discussion
Be the first to comment on this article. Our Commenting Policies