News
Security Vendors Ready Fix for 'Curse of Silence' SMS Attack
A single malformed text message can prevent some Nokia Corp. smart phones from receiving further messages via Short Messaging Service
By Peter Sayer, IDG News Service
December 31, 2008 — IDG News Service —
A single malformed text message can prevent some Nokia Corp. smart phones from receiving further messages via Short Messaging Service (SMS) -- and the offending message can be sent from almost any Nokia phone, even non-smart-phone models, a German security researcher demonstrated Tuesday.
At least one security software vendor has already released software to protect against the denial-of-service attack, dubbed the "Curse of Silence" by the researcher who demonstrated it at the Chaos Communications Congress in Berlin, organized by Germany's Chaos Computer Club (CCC).
CCC member Tobias Engel showed how smart phones running Versions 2.6 through 3.1 of Nokia's Series 60 software running on Symbian OS are unable to receive further messages by SMS or MMS (Multimedia Messaging Service) after receiving malformed text messages. Versions 2.8 and 3.1 of the software will warn of memory problems after one malformed message, and they will silently fail after receiving 11 such messages, he said.
The problem is worse for phones running Versions 2.6 and 3.0 of the software: They will silently fail after receiving a single malformed message, he said.
The phone must be factory-reset to resolve the problem and allow it to receive text messages once again, Engel said.
Sony Ericsson Mobile Communications AB phones running UIQ software on top of Symbian OS are also vulnerable, security software vendor F-Secure Corp. warned Wednesday.
The simplicity of the attack -- which can be launched from almost any Nokia phone, including older non-smart-phone models, with the option to send an SMS text message as "Internet Electronic Mail" -- makes it likely that people will try it just to see what happens, F-Secure said. The attack's nuisance value is increased because mobile phone networks also send notifications of new voice mail by SMS, so an attacked phone may stop advising of new voice messages too, the company warned.
F-Secure said it has developed a fix that can protect vulnerable phones from malformed messages as part of its F-Secure Mobile Security software for smart phones.
Engel suggested a different approach to protecting phones, proposing that network operators deal with the problem by filtering out the malformed messages as they pass through their SMS servers.
Copyright 2009 IDG News Service, International Data Group Inc. All rights reserved.
Nokia
Log Management in a Cyber World
With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.
Comparing Research in Motion and Microsoft Mobile Solutions
Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.
- Continuous PCI Compliance and Security with Tripwire Solutions
- The Pursuit of a Standardized Solution for Secure Enterprise RBAC
- Building a Secure and Compliant Windows Desktop
- Root Access Risk Control for the Enterprise
- Demystifying IT Risk to Achieve Greater Security & Compliance
- Cyber Crime: A Clear and Present Danger
Stay current with insightful news and analysis on information security, business continuity, identity and access management, loss prevention and more with CSO newsletters!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
