To target a specific user, an attacker would need to know what kind of phone he or she uses, since each platform requires a different message. But Mulliner says that attackers could easily knock out large numbers of phones by sending a set of five SMS messages—targeted to the five most popular models—to every device on a specific network. Mulliner notes that there are Internet-based services that send SMS messages en masse either cheaply or free, making it possible for an antagonist with limited resources to carry out such an attack from anywhere in the world.
“The only people who can defend against this attack are the network operators,” Mulliner says. To prevent problems, operators would have to update the firmware on existing phones or else filter out potentially disruptive SMS messages traveling across their networks. The latter approach would be difficult, he says, because filtering software, generally used to catch spam, is not optimized to catch binaries.
Mulliner and Golde say they contacted network operators and manufacturers months before their talk but were told it wasn’t possible to get fixes ready in time.
“Smart phones are sexier targets, but the masses still by and large use feature phones,” says Charlie Miller, principal analyst for software security for the research firm Independent Security Evaluators. Miller is well known for his research on security flaws in the iPhone and other mobile devices, and has worked with Mulliner in the past.
Because feature phones are so widespread, the problems found by Mulliner and Golde could affect a lot of people, Miller says. Still, attackers would find it difficult to steal personal information or take control of the phones. In contrast, SMS vulnerabilities in iPhones and Windows Mobile-based HTC devices enable an attacker to take over phones, Miller says, citing research that he and Mulliner conducted a couple of years ago.
Defending against mass attacks on feature phones may in practice prove enormously difficult. Aurélien Francillon, a researcher in the system security group at ETH Zurich in Switzerland, says, “Most of those phones don’t have automated updates, and when they do, patches are not made available quickly.”
High-end smart phones are more likely to be configured to automatically install updates to protect against attacks, he says. Francillon believes that the vulnerabilities that Mulliner found on feature phones “may remain open for a very long time before they are corrected on end users’ phones—if ever.”