Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

In a presentation today at Black Hat Europe, a computer-security conference in Amsterdam, a group of researchers claimed to have found a way to hijack the data sent to and from mobile phones. The researchers say that the attack might be used to glean passwords or to inject malicious software onto a device.

Mobile phones are becoming ever more useful for transmitting data in addition to making voice calls, and they’re increasingly being used for sensitive activities such as online banking, as well as for searching the Internet and downloading mobile games.

The new attack relies on a protocol that allows mobile operators to give a device the proper settings for sending data via text message, according to Roberto Gassira, Cristofaro Mune, and Roberto Piccirillo, security researchers for Mobile Security Lab, a consulting firm based in Italy. By faking this type of text message, according to the protocol an attacker can create his own settings for the victim’s device. This would allow him to, for example, reroute data sent from the phone via a server that he controls. The researchers say that the technique should work on any handset that supports the protocol, as long as the attacker knows which network the victim belongs to and the network does not block this kind of message.

Some trickery is required to make the attack work, however. Ordinarily, to transfer settings to a device remotely, a mobile operator will first send a text message containing a PIN code. The operator will then send the message to reconfigure the phone. In order to install the new settings, the user must first enter the PIN.

So an attacker would need to convince a victim to enter a PIN and accept the malicious settings sent to the phone. But Gassira, Mune and Piccirillo believe that this shouldn’t be too difficult. The attacker could send text messages from a name such as “service provider” or “message configuration,” suggesting that changes to the device’s settings are needed due to a network error. For many handsets, they say, the results of the configuration aren’t shown to the user, giving the victim little chance to notice that anything is amiss.

4 comments. Share your thoughts »

Credit: Technololgy Review

Tagged: Computing, Communications, security, mobile, wireless, cellphone, hacker, mobile applications

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me