'SMS of Death' Bug Targets Basic Cell Phones, Could Shut Down Entire Networks
Researchers Collin Mulliner and Nico Golde introduced the bug at the recent Chaos Computer Club Congress in Berlin. The pair reportedly discovered it after setting up their own private GSM network, which allowed them to send malicious text messages to a variety of basic cell phones. The most serious vulnerability, the so-called 'SMS of Death,' affected several popular models from Nokia, Sony Ericsson, Samsung, LG and Motorola. The impact, however, varied from brand to brand.
In some cases, the malicious texts caused the phones to shut down, and disconnect from their networks. In the worst case, the payload-equipped SMS could force the phone to shut down and disconnect, without even registering the original message. Under these circumstances, the hacker could even force the network to send the message again, once the system re-boots, thereby trapping the phone in a vicious shutdown cycle. Mulliner and Golde emphasized that these vulnerabilities likely exist in many other mobile models, but that their work has been focused exclusively on the most popular.
The effects may seem relatively easy to handle on an individual basis, but researchers say that attackers could easily orchestrate similar operations on a large scale. In Germany, for example, each mobile number prefix is associated with a specific service provider. It'd be relatively easy, therefore, for an attacker to target a single provider's customer base, using its unique prefix. Alternatively, the malicious texts could be sent in bulk via commercial spam services, botnets hidden on phones, or, of course, a rogue insider at a mobile company.
The potential for disaster, then, is all too clear. A single person, for example, could hold a phone company hostage, by threatening to unleash a torrent of crippling texts. Researchers also pointed out that the vulnerability could affect police officers, who rely on cell phones where two-way radio functionality is limited. Unfortunately, there doesn't appear to be an easy fix for the SMS of Death. Nowadays, mobile companies hardly ever offer firmware updates for simple, relatively cheap phones -- even though around 85-percent of all users still rely on them. But, considering the kind of havoc that this bug could wreak, it may be time for manufacturers to take action.