Skip to Content
Uncategorized

Behind the Fuzz: Finding SMS Bugs

Two researchers open the door to finding a slew of vulnerabilities in the widely-used communications protocol.
August 7, 2009

It’s taken a while for security researchers to find flaws in the popular protocol used to send text messages between mobile phones. Yet, at the Black Hat Security Conference, four researchers revealed weaknesses in the protocol, including vulnerabilities in three major platforms: Apple’s iPhone, Microsoft’s Windows Mobile, and Google’s Android.

For security consultant Charlie Miller and graduate student Collin Mulliner, the hard part was not finding the vulnerabilities in the short message service (SMS) but in creating a way to send tens of thousands of 140-character messages directly to the phone, bypassing the provider’s network.

The researchers used a technique known as “fuzzing,” where thousands to millions of permutations of a specific format are used to test the robustness of a computer program. Sending those messages over the provider’s network could allow the company to shut down the experiment – not to mention, result in an astronomical phone bill.

“People don’t fuzz SMS … because it would probably crash their (the provider’s) infrastructure and get us kicked off their service,” Miller says.

Instead, the two researchers found a way to directly inject packets into the smart phones. In the case of Apple’s iPhone, the researchers had to create a hacked, or “jailbroken,” version that does not have all the security of the out-of-the-box device. Yet, when they found interesting packets, they confirmed the results on the standard iPhones.

In this case, the two researchers used the Sulley fuzzing framework to create technically correct SMS packets that abused the protocol in some way.

Hacking phones via SMS is not easy, Miller says. The limitations of the protocol, especially the 140-character message length, means that transferring an exploit to the phone can take a lot of messages. In the case of the iPhone hack, the researchers had to send hundreds of messages, he says.

“It probably took 500 to set up everything just right so I could get it where I could take control,” Miller says.

Because the process that handles SMS messages runs as root on the iPhone, once that process is compromised, an attacker would have full control of the device. Apple fixed the SMS flaw a week ago.

Two other researchers, Zane Lackey of iSec Partners and independent consultant Luis Miras, who also presented research into SMS vulnerabilities at the Black Hat Security Conference, took a similar approach, Miller said.

Deep Dive

Uncategorized

Uber Autonomous Vehicles parked in a lot
Uber Autonomous Vehicles parked in a lot

It will soon be easy for self-driving cars to hide in plain sight. We shouldn’t let them.

If they ever hit our roads for real, other drivers need to know exactly what they are.

stock art of market data
stock art of market data

Maximize business value with data-driven strategies

Every organization is now collecting data, but few are truly data driven. Here are five ways data can transform your business.

Cryptocurrency fuels new business opportunities

As adoption of digital assets accelerates, companies are investing in innovative products and services.

Mifiprex pill
Mifiprex pill

Where to get abortion pills and how to use them

New US restrictions could turn abortion into do-it-yourself medicine, but there might be legal risks.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.