The phones in many people’s pockets today are miniature personal computers, and they are just as vulnerable as PCs to viruses, malware, and other security problems. But research presented at a conference in Germany last week shows that phones don’t even have to be smart to be vulnerable to hackers.
Using only Short Message Service (SMS) communications—messages that can be sent between mobile phones—a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called “binaries,” that run on a phone. Network operators use these files to, for example, change the settings on a device remotely. The researchers used the same approach to attack phones. They performed their tricks on handsets made by Nokia, LG, Samsung, Motorola, Sony Ericsson, and Micromax, a popular Indian cell-phone manufacturer.
A number of largely theoretical attacks aimed at iPhones and Android devices have made headlines over the past few years. But smart phones make up only 16 percent of the devices in use. So-called feature phones—which can do more than make calls but run only software with limited functionality, enabling their users to do such things as send text messages and play games—account for the majority of around 5 billion mobile phones in use worldwide.
Feature phones are harder to attack than smart phones because of their limitations. Their processors are less powerful, and they have less memory capacity, so they must run simpler software, which often cannot be loaded unless the carrier gives permission. Feature phones also have more varied hardware and software idiosyncrasies than smart phones do.
The security researchers who presented their work at last week’s conference, Collin Mulliner, a PhD student in the Security in Telecommunications department at the Technische Universitaet Berlin, and Nico Golde, an undergraduate student at the same institution, decided to attack feature phones over the air. They set up a miniature cellular network, using open-source software to create a base station with which to communicate with the phones. In order to broadcast malicious messages to them without putting other devices at risk, they shielded their communications by enclosing their network in a Faraday cage, which blocks radio signals.
Having a private cell network also helped Mulliner and Golde study the software running on low-end phones. By monitoring the way the phones communicated with their base station, they could discern important information about how the phones worked and how SMS messages could affect them.
The researchers were able to create malicious SMS messages for each type of phone they studied. The messages affect the phones without any response from the user. Because feature phones are so common, Mulliner says, such an attack “could take out a large percentage of mobile communications.”
To target a specific user, an attacker would need to know what kind of phone he or she uses, since each platform requires a different message. But Mulliner says that attackers could easily knock out large numbers of phones by sending a set of five SMS messages—targeted to the five most popular models—to every device on a specific network. Mulliner notes that there are Internet-based services that send SMS messages en masse either cheaply or free, making it possible for an antagonist with limited resources to carry out such an attack from anywhere in the world.
“The only people who can defend against this attack are the network operators,” Mulliner says. To prevent problems, operators would have to update the firmware on existing phones or else filter out potentially disruptive SMS messages traveling across their networks. The latter approach would be difficult, he says, because filtering software, generally used to catch spam, is not optimized to catch binaries.
Mulliner and Golde say they contacted network operators and manufacturers months before their talk but were told it wasn’t possible to get fixes ready in time.
“Smart phones are sexier targets, but the masses still by and large use feature phones,” says Charlie Miller, principal analyst for software security for the research firm Independent Security Evaluators. Miller is well known for his research on security flaws in the iPhone and other mobile devices, and has worked with Mulliner in the past.
Because feature phones are so widespread, the problems found by Mulliner and Golde could affect a lot of people, Miller says. Still, attackers would find it difficult to steal personal information or take control of the phones. In contrast, SMS vulnerabilities in iPhones and Windows Mobile-based HTC devices enable an attacker to take over phones, Miller says, citing research that he and Mulliner conducted a couple of years ago.
Defending against mass attacks on feature phones may in practice prove enormously difficult. Aurélien Francillon, a researcher in the system security group at ETH Zurich in Switzerland, says, “Most of those phones don’t have automated updates, and when they do, patches are not made available quickly.”
High-end smart phones are more likely to be configured to automatically install updates to protect against attacks, he says. Francillon believes that the vulnerabilities that Mulliner found on feature phones “may remain open for a very long time before they are corrected on end users’ phones—if ever.”