Researchers can attack mobile phones via spoofed SMS messages
Phones that support MMS on GSM networks are vulnerable to new SMS spoofing attacks, researchers say at Black Hat.
LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.
This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.
The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior consultant at ISEC Partners, and independent researcher Luis Miras.
They used a jailbroken iPhone for their demos of their proof-of-concept code that allows for bypassing carrier protections for SMS communications by sending specially crafted MMS messages.
SMS communications are used by carriers to do administration on the phone and contact customers. For example, voice mail notifications are often delivered over SMS, according to Lackey.
As a result, such admin messages are trusted by recipients, despite the fact that they typically do not reveal the source of the message and other details, they said. Spoofed messages could appear to come from any trusted company like a bank or PayPal.
"This is a carrier issue," Miras said. "We disclosed to them and they're working on a fix."
The researchers also have shared information with the GSM Alliance, which is providing details of the exploit to carriers, they said.
In one demo, they sent a victim a message that offered a $20 credit and included a link to a supposedly malicious site. In other demos the researchers sent a fake voice mail alert and sent an SMS that prompted the recipient to accept or decline unknown new phone settings.
If the recipient accepted the changes believing they were something routine from the carrier, an attacker could be using the permission granted to do something behind the scenes like route all the phone's Internet traffic through an attacker's server instead of a carrier server, which would allow the attacker to spy on all the communications.
The SMS exploits the researchers showed allow an attacker to "bypass the carrier spoofing protections" including anti-malware filtering, Lackey said. The attacks also could be used to find out what operating system a phone is running so that someone could launch an attack targeted for that software, he said.
Lackey and Miras released a tool called TAFT (There's an Attack For That) that automates the implementation flaws that have been fixed. It does not allow for the spoofing issues, which carriers still need to address, they said.
SMS attacks are getting easier because iPhones and Android devices are easily modified and because SMS functionality has been built at higher layers that provide full access to an attacker, said Lackey.
The researchers also said they uncovered an SMS implementation flaw that they exploited to temporarily crash the phone process of an Android phone so no calls or texts could be sent or received. Google fixed that flaw, they said.
They also discovered a flaw in a third-party iPhone app from SwirlySpace that interfered with the phone and texting capabilities and that too has been fixed, Miras said.
There isn't much someone can do to protect against these attacks except be wary of SMS messages in general, he said.