Some SMS networks vulnerable to attack
At Black Hat, two researchers will show how they spoofed SMS and MMS messages
IDG News Service - Flaws in the way some mobile-phone networks handle SMS (short message service) signaling data could leave them open to a whole new range of attacks.
At this week's Black Hat conference in Las Vegas, researchers Zane Lackey and Luis Miras will show how they were able to spoof SMS and MMS (multimedia messaging service) messages and falsify the signaling data that underlies these messages.
Neither researcher was able to comment for this story, but in a description of their Thursday talk, posted to the Black Hat Web site, they say that they plan to release SMS hacking tools and will demonstrate an iPhone-based application that can be used in several SMS attacks.
"SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked," they say in their talk abstract.
The researchers were able to send SMS messages from one phone to another that contained configuration information that would normally originate only on the network's servers, according to a source familiar with the talk, who spoke on condition of anonymity because he was not authorized to speak on the matter. The research details security flaws in the way some mobile networks communicate with the devices on the network.
"Basically, they found that there is a way to bypass all of the source sender validation," the source said.
The iPhone tool, which runs on a jailbroken version of the device, lets them send SMS messages with data that should normally only be sent from the carrier network, the source said. "They have found a new attack vector by which people can try to exploit phones based upon invalid assumptions the network operators and the phone operators have made about the security of this communications channel."
The attack works on the GSM (Global System for Mobile Communications)-based networks used by carriers such as AT&T and T-Mobile, but does not work on CDMA (Code Division Multiple Access) networks, he said.
It's not clear how dangerous such an SMS-based attack could be, or what exactly the researchers were able to do with their spoofed messages, but carriers use SMS to send basic configuration to the phones. In theory, an attacker might be able to use this technique to redirect a phone's Web browser to a malicious server or change voicemail notifications.
"We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS," the researchers write in their abstract.
SMS uses a communications channel that was designed as a way for network operators to send basic status updates between mobile phones and the network, and only later did it evolve as an extremely popular way to send short messages between mobile-phone users.
The network servers that handle SMS traffic are built by companies such as Ericsson, Nortel Networks, Alcatel-Lucent and Nokia Siemens.
Mobile carriers have long tightly controlled the software and devices that can be used on their networks, but apparently, these networks are not as tightly controlled as was previously thought. "They're not as open as the Internet, but there are definitely lots of bad things that you can do that people never expected," the source said. "There are lots of malicious things you can do."
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!