Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Once a phone has been configured to route data through the attacker’s server, this could reveal the user’s login credentials or cookies. The researchers say that it may also be possible for an attacker to add unwanted content, such as unsolicited advertisements, to the Web pages that a user views on her phone. By combining this technique with other vulnerabilities, they say that an attacker might even be able to use the mobile device to target resources normally protected within the carrier’s network.

David Wagner, an associate professor of computer science at the University of California, Berkeley, who has studied wireless security, cautions that more work needs to be done to identify what conditions are required to exploit the vulnerability and how widespread the problem may be. “I did see in the paper a number of caveats that raised questions in my mind about the degree to which this vulnerability would affect consumers, even if the vulnerability can be exploited,” Wagner says. In particular, he notes, it is unclear whether some cell-phone providers may block fake messages or if others would stop an attacker from redirecting Internet traffic. Also, many users may not be fooled by the attack. “If any of these conditions are not met, the attack might be blocked,” Wagner says.

The researchers concede that mobile operators could prevent the attack by implementing proper security measures. For example, operators could watch for text messages that show telltale signs of a configuration protocol and check that they originate from an authorized source. Other measures, such as showing the user how her device has been adjusted or monitoring Internet traffic that’s being directed out of the carrier’s network, might also help.

Mune says that the attack “could be feasible on quite a large number of networks and handsets,” and that his team has successfully tested it with a variety of common handsets on large networks in Europe. Although the researchers aren’t working with any mobile operators to resolve the vulnerability, they say that they have given notice to relevant parties and are open to helping with the issue if needed.

4 comments. Share your thoughts »

Credit: Technololgy Review

Tagged: Computing, Communications, security, mobile, wireless, cellphone, hacker, mobile applications

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me