Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

To target a specific user, an attacker would need to know what kind of phone he or she uses, since each platform requires a different message. But Mulliner says that attackers could easily knock out large numbers of phones by sending a set of five SMS messages—targeted to the five most popular models—to every device on a specific network. Mulliner notes that there are Internet-based services that send SMS messages en masse either cheaply or free, making it possible for an antagonist with limited resources to carry out such an attack from anywhere in the world.

“The only people who can defend against this attack are the network operators,” Mulliner says. To prevent problems, operators would have to update the firmware on existing phones or else filter out potentially disruptive SMS messages traveling across their networks. The latter approach would be difficult, he says, because filtering software, generally used to catch spam, is not optimized to catch binaries.

Mulliner and Golde say they contacted network operators and manufacturers months before their talk but were told it wasn’t possible to get fixes ready in time.

“Smart phones are sexier targets, but the masses still by and large use feature phones,” says Charlie Miller, principal analyst for software security for the research firm Independent Security Evaluators. Miller is well known for his research on security flaws in the iPhone and other mobile devices, and has worked with Mulliner in the past.

Because feature phones are so widespread, the problems found by Mulliner and Golde could affect a lot of people, Miller says. Still, attackers would find it difficult to steal personal information or take control of the phones. In contrast, SMS vulnerabilities in iPhones and Windows Mobile-based HTC devices enable an attacker to take over phones, Miller says, citing research that he and Mulliner conducted a couple of years ago.

Defending against mass attacks on feature phones may in practice prove enormously difficult. Aurélien Francillon, a researcher in the system security group at ETH Zurich in Switzerland, says, “Most of those phones don’t have automated updates, and when they do, patches are not made available quickly.”

High-end smart phones are more likely to be configured to automatically install updates to protect against attacks, he says. Francillon believes that the vulnerabilities that Mulliner found on feature phones “may remain open for a very long time before they are corrected on end users’ phones—if ever.”

3 comments. Share your thoughts »

Tagged: Communications, security, mobile, mobile phones, hackers, cell phones, mobile security, SMS, denial of service attacks

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me