How Too Many SMS Messages Can Shut Down Your Nexus Phone
A system administrator at a Dutch IT company has found a vulnerability that amounts to a method for launching a denial-of-service attack on those phones, using SMS messages.
Bogdan Alecu demonstrated the vulnerability at the DefCamp 2013 security conference in Bucharest today. In an email exchange, he said he does independent security research in his spare time, and, according to his site, has given talks on vulnerabilities at other conferences, including one at DefCon in Las Vegas over the summer. He also writes a mobile security blog.
Here’s how the vulnerability works. At attacker sends what’s called a Flash SMS, or a Class 0 SMS, to the phone. It’s a sort of super-text-message that doesn’t get stored in the in-box; rather, its contents get flashed straight to the screen. It exists as part of the global standard for sending text messages on GSM phones, and is useful for flashing emergency information to people, or maybe for delivering a one-time password.
When a message like this is sent to the phone, it’s surrounded by a dark screen, where it waits to be read or dismissed by the user. But here’s where the attack part comes in. Send a large number of these messages to a phone, and the phone starts to act weird and, in some cases, can even reboot itself.
These messages are also sneaky, because typically there’s no sound or other indication that a message is coming in. So your phone might be attacked while you’re walking around and not looking at it. If it reboots and you’ve set it to require a PIN number to start up, you might be walking around with a phone that’s not connected to the network at all. In other instances, the phone doesn’t reboot, but loses its connection to the network or becomes unusable until you reboot it manually.
Alescu says that, based on his tests, the vulnerability appears to affect only Google-made Nexus phones running all versions of Android 4, but apparently not Android phones from other vendors. They include the Galaxy Nexus, the Nexus 4 and the Nexus 5.
There is one way to deal with it: There’s a
$2 free app available on Google Play called Class0Firewall that gives you the power to set a filter on how many messages of this type your phone can receive in a given period of time. (Update: I initially published a link to the wrong app which is now fixed. Also it’s free. Sorry about that.)
I asked Alescu how he found the vulnerability. In an email, he said he was simply experimenting with sending SMS messages of different types to his phone. After seeing how two or more Flash SMS messages behaved when sent to the phone, he started to get curious. “I had two questions in my mind: Will this cause a memory issue? And until when can I send such messages?” he wrote today. “It looks like indeed, sending multiple Class 0 messages causes a memory issue and the phone reboots.”
Alecu made a couple of videos demonstrating the vulnerability in action, and I’ve embedded one below. There’s another here. He also sent a link to a PDF of the slides he presented in his talk in Romania.
I reached out to Google for a comment on this, but its office sent an auto-reply that its press office is closed for the holiday. I’ll update the post if I hear back.