An SMS can force a URL or app on smartphones

Talk about text message attacks continues at Black Hat with the third of a handful of mobile-related sessions.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

John Hering and Kevin Mahaffey of Flexilis demonstrate an SMS attack targeting a Windows Mobile phone. Elinor Mills/CNET News

LAS VEGAS--In one of a handful of SMS-related presentations here at the Black Hat security show, researchers demonstrated on Thursday how they can force certain types of smartphones to visit a malicious URL or install an app without user approval.

The vulnerability only affects phones that have been misconfigured by the original equipment manufacturer so that they accept any message sent through WAP Push (Wireless Application Protocol), a service that runs on top of SMS, said researcher John Hering.

WAP Push messages should only be accepted when sent by a trusted party such as the mobile operator, said Hering, chief executive of Flexilis, which provides software for protecting mobile phones from attack.

The vulnerability spans all Windows Mobile devices including HTC, Motorola, and Samsung, he said. The phones that are vulnerable have been misconfigured and it's random which ones have the weakness.

Phone owners can test their phone to determine if they are affected by the issue. Hering and Kevin Mahaffey, Chief Technology Officer at Flexilis, are releasing a free tool that can be used to test whether a mobile phone is vulnerable, and if so fix the issue.

The researchers said they had not yet determined whether the iPhone or other devices were vulnerable. They said they have notified carriers, or Microsoft, and fixes are being worked on.

The attack works on GSM networks, the men said, adding that they had not yet tested it on CDMA networks.

The researchers built this device for testing for the vulnerability on multiple phones at once. Elinor Mills/CNET News

The researchers have developed free, open-source software called "Fuzzit," which is designed to test the security of mobile devices and is geared towards mobile manufacturers, operators, and software developers. It will be released shortly. They also built a device that allows for the testing of multiple phones on different platforms at once for internal research and development.

Their session was just one of a handful that dealt with vulnerabilities on mobile phones and SMS, in particular.

In a presentation earlier in the day, Zane Lackey of ISEC Partners and independent researcher Luis Miras demonstrated how an attacker could spoof an MMS (multimedia messaging service) type of SMS message that appears to be sent from a trusted source and trick the recipient into visiting a malicious Web site.

Also on Thursday, Charlie Miller of Independent Security Evaluators and independent researcher Collin Mulliner demonstrated another type of attack in which they can take complete control over an iPhone merely by sending special SMS messages. They proved the attack the night before with a denial of service attack on my non-jailbroken iPhone, which runs OS 3.0.

Since SMS is available on so many devices and is always on--as long as the phone is turned on--it makes for an attractive target for attackers, according to researchers.