VANCOUVER–A pair of security researchers from Germany demonstrated several techniques at the CanSecWest conference here Wednesday that enable them to remotely reboot, shut down or even completely disable many popular mobile phones with SMS messages.
The technique that Nico Golde and Collin Mulliner discussed relies on setting up a GSM network and sending specially crafted SMS messages to handsets. The pair showed a video demonstration of phones from a wide range of manufacturers, including LG, Sony Ericsson, Nokia and others rebooting, freezing and generally acting flaky after receiving the crafted SMS messages they sent.
The researchers only tested their methods on so-called feature phones, not smartphones such as Android devices or iPhones. The reason, they said, is that feature phones still are far more prevalent in most of the world than smartphones are, so the target area is much larger.
“The good thing is that there’s no user interaction needed and the attacker can be anywhere in the world,” said Mulliner. “We don’t need proximity to the device.”
The researchers set up their own GSM network using a laptop running OpenBSC and targeted various phones that they purchased on eBay. The targets included a Nokia S40, a variety of LG handsets and Sony Ericsson devices. The messages they sent included a binary payload and in at least one case, they were able to completely brick one of the Sony Ericsson phones.
In other cases, the SMS messages caused the phone to reboot or freeze on a startup screen. In general, the malicious messages weren’t visible to the user and didn’t register in the phone’s SMS log, so the user would have little chance of figuring out what caused the phone to reboot or freeze.
On one of the LG handsets, Mulliner and Golde were able to remotely lock the phone, which, if the PIN option is set, can permanently disable the handset. That method leveraged a buffer overflow in the MMS notification system that the LG handset uses.