Advertisment
Advertisment
Promo

'Curse of silence' smartphone flaw revealed

By Tom Espiner on 05 January 2009, 12:04pm

Mobile Phones

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the 'Curse of Silence' by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed email message via SMS. Engel demonstrated the attack on Tuesday at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel on Tuesday gave details of the attack. After receiving a message from a sender with an email address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive any more SMS or MMS messages. S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia spokesperson told CNET UK's sister site ZDNet UK on Friday the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue, and we do not believe that it represents a significant risk to customers' devices," said the spokesperson. "Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability."

Products running S60 3rd edition, feature pack 2, are unaffected, said the spokesperson, who added that the issue can be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the spokesperson.

F-Secure said on Tuesday that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. On Wednesday, the security vendor said the vulnerability will "most likely be used by jealous boyfriends", but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.

Source: 'Curse of silence' smartphone flaw disclosed on ZDNet UK

You Might Like These

Anonymous User Avatar

To get an avatar and username, log in or register

Anonymous User

Your email address must be entered but will not be displayed

Copy the letters and numbers to prove you're a human being. If you can't read this image, get another one. If you don't want to do this each time, register.

Random characters

All submitted content becomes the sole property of CBS Interactive and may be used, edited or rejected at CBS Interactive's sole discretion. You acknowledge that you, not CBS Interactive, are responsible for the contents of your submission. -- see Terms of Use

Advertisment