Google Nexus Phones Vulnerable to SMS Denial-of-Service Attack

Google is looking into a problem with the latest versions of Nexus smartphones that could force the devices to restart, lock or fail to connect to the Internet.

Google is reportedly looking into a problem with the latest versions of Nexus smartphones that could force the devices to restart, lock or fail to connect to the Internet.

All Galaxy Nexus, Nexus 4 and Nexus 5 devices that run Android 4.0 contain a flaw that can render the phones vulnerable to a denial-of-service attack when a large number of Flash SMS messages are sent to them.

According to a description on the programming site Stack Overflow, Flash SMS messages, also known as Class 0 SMS, are messages that show up – or flash – on screens immediately and dim the screen around the text. The messages are part of the GSM messaging infrastructure and are often used for sending emergency messages. Since the messages are not saved in phone’s inboxes by default and simply appear, users can elect to read or dismiss them. If a message is received on top of another however, they can stack up quickly.

If a phone receives a certain number of these messages, around 30 in this case, the phone will restart itself. In some cases if a PIN is required to unlock the SIM card, the device will not connect to the Internet after the reboot. On “rare occasions” the phone can also lose connection to the mobile network and the messaging app can crash.

Bogdan Alecu, a Romanian independent security researcher who also works as a system administrator at the Dutch IT firm Levi9 discovered the issue and discussed it in a panel (.PDF) on Friday at DefCamp, a security conference in Bucharest, Romania.

Alecu told PC World last week that while he found the problem more than a year ago (the video above was first published five months ago) and has tested it on a handful of Nexus phones since then, Google has largely ignored his research. A fix in Android 4.3 was promised to Alecu by a member of Google’s Security Team in July but never surfaced when 4.3 (Jellybean) was released later that month.

Now Google claims it’s looking into the vulnerability.

“We thank him [Alecu] for bringing the possible issue to our attention and we are investigating,” a Google representative told PC Magazine via email.

In the meantime Alecu has developed and published a proof of concept firewall application for Android that should prevent most Nexus devices from being exploited by the Flash SMS attack vector.

Class0Firewall, posted today on Google’s Play marketplace, lets Nexus users determine how many Flash SMS messages they can receive from a certain number before blocking them entirely. The app can also be set to block Flash SMS messages for a set amount of time.

Alecu warns that while his app isn’t foolproof, he hopes to release an update for it soon that addresses a few remaining issues.

For example Alecu aims to include a fix in a future version that will let users know if a Flash SMS attacker is spoofing their own number, thus preventing messages from being blocked. Alecu also hopes to find a workaround for an SMS API change in Android 4.4 (KitKat) that still puts Nexus users running that build of Android in danger.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.