Text message of 'death' threatens smartphone security

Security researchers have shown that many popular phones can be knocked offline by carefully crafted text messages

Security researchers have shown that carefully crafted text messages sent to cell phones via short message service (SMS) can cause them to shutdown without the knowledge of the owner. Popular models by Nokia, LG, Samsung, Motorola and Sony Ericsson are said to be affected by what the researchers call ‘SMS-o-Death'.

Researchers from the Berlin Institute of Technology used the simple trick of imitating the data messages network providers send to phones. Usually the messages are used for tasks such as configuring the device for a particular provider, but they can easily be subverted.

Perhaps surprisingly, the attack targets regular "feature phones" rather than smartphones. Feature phones are so-called because they typically perform one or two other tasks, such as MP3 playback or web browsing, in addition to making calls.

Feature phones are significantly less expensive than smartphones, so--although smartphones get most press attention--out in the real world they find most use amongst the world's population. Therefore, the scale of the hack could be huge.

The researchers made their discoveries by creating their own testbed cell phone tower in a lab shielded from outside signals. They monitored communications from the phone and by doing so were able to create messages that attacked every single model of phone they studied.

To attack an individual's phone, one would need to know the make and model. However, a large-scale random denial of service attack would be easy to carry out: with a little research to find the most popular phone models on the market today, an attacker could send a series of messages targeting each phone to specific or random numbers via the various Internet gateways that allow bulk text message sending. Anybody receiving the dodgy message would have their phone silently switch off, without their knowledge. If the hack didn't work on a user's particular model of phone, it would simply be ignored as gibberish.

Of course, the researchers are keeping secret their exact methods but now the cat is out of the bag it won't be long until hackers come up with their own versions.

There's little that can be done to thwart attacks. Phone firmware could be reprogrammed to block such messages, but the majority of non-smartphone owners simply don't update their phones. Many aren't even aware it's possible, and those who are often avoid doing so for fear updating to buggy software, something that sadly is all too common. Often inexpensive phones come without a USB cable, making updating impossible unless one is purchased.

Service providers could filter out the messages from their network but, although filtering software is often already in place to capture spam, it doesn't presently have the ability to catch data messages, such as those used in the attack.

The good news is that the relative simplicity of feature phones means that the hack is limited to annoying tricks, such as turning-off the phone. It'll be almost impossible for attackers to inject their own code into phones in order to steal data, for example, something which is possible with higher-level smartphones such as the Apple iPhone and, potentially, devices running Google Android.

It's been an uneasy time recently in the world of mobile phone security. Last year it was shown how GSM phone communications can be hacked with just $1500 of hardware, allowing attackers to listen into communications.

To view a video of the presentation by the researchers behind the ‘SMS-o-Death' hack, Nico Golde and Collin Mulliner, click here.

Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at http://keirthomas.com and his Twitter feed is @keirthomas .

Join the Good Gear Guide newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MotorolaEricssonspamantispamvirusesNokiaPhonesAndroide-mail securityphishingconsumer electronicssecurity

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Keir Thomas

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?