It's a scene from an as-yet-unmade thriller: Across a country, tens of thousands of cellphones all blink white at the same, and turn themselves off. Calls are lost, phones are rendered useless, and the affected mobile operator is forced to pay a ransom or lose customers.
It hasn't happened yet. But speaking at the Chaos Computer Club Congress here, German researchers showed how vulnerabilities in some the simplest, but most common phones in the world could conceivably lead to just such a scenario.
It hasn't happened yet. But speaking at the Chaos Computer Club Congress here, German researchers showed how vulnerabilities in some the simplest, but most common phones in the world could conceivably lead to just such a scenario.
Mobile phone security has been a growing concern due to the increasing popularity of smartphones, whose web-browsing and app-running capabilities allow attacks similar to those made against computers. Yet more than 85 percent of the world's cellphones are feature phones — simple devices with the ability to play MP3s or browse the web, but without the power of the iPhone or Android-based handsets.
Vulnerabilities have been found in this type of phone before, but new open source tools allowing individuals to set up their own private GSM networks have helped researchers find a host of bugs ranging from pesky to serious in many of the world's most common handsets.
"With the openness in the GSM on the network side, we can look at the closed stuff now," said Collin Mulliner, a researcher at Berlin's Technical University. "And if we're able to look at closed stuff, it usually breaks."
Mulliner and colleague Nico Golde set up their own GSM network in their lab, allowing them to freely test the effects of sending SMS messages containing a variety of potentially damaging payloads.
The result was bugs, and plenty of them. Popular models of phones from Nokia (the S40 and related models, except for the very newest release), Sony Ericsson (w800 and several related models), LG (LG 320), Samsung (S5230 Star and S3250) Motorola (the RAZR, ROKR, and SVLR L7) and India's Micromax (X114) all proved susceptible to what researchers termed an "SMS of death."
The exact results differed for each phone. In the worst cases, including the Nokia and Sony Ericsson, the message would disconnect the phone and force it to reboot, without registering the fact of the message's receipt — in most cases forcing the operator's network to continue sending the message and triggering the shutdown cycle again. Fixing the problem required putting the SIM card into a new, unsusceptible phone.
In the other cases, the payload-laden messages forced the phones' interfaces to shut down, and disconnected the devices from the network. The researchers stressed that other phones likely had similar problems, but their research had focused on these common models.
At first glance, these problems appear to be relatively minor compared to the botnet or trojan susceptibilities of smartphones. But these simple attacks could cause serious problems, potentially for a single well-chosen target, or — more disturbingly — if launched on a large scale.
This could be relatively easily done, Mulliner said. In Germany, for example, mobile-phone-number prefixes are associated with specific operators, allowing large-scale attacks to be mounted on a single operator's customer base relatively easily. Bulk SMS messages tailored to attack specific common phones by the thousands could be sent using commercial SMS spam services, by activating botnets hiding on mobile phones, or even by an insider at a telephone company.
This kind of large-scale attack potential raises the possibility that a telco itself could be held hostage by an outsider threatening to flood its customers with reboots or even broken phones, researchers said.
Alternately, some police forces around the world rely on cellphones to communicate in areas where their two-way radios function poorly. An attack on a common model used by a police force could disrupt communications at a critical time.
The problem is these problems aren't easy to fix. Inexpensive "feature phones" rarely if ever receive firmware updates today. But the potential for abuse of bugs that are becoming easier to find means this practice might have to change, the researchers said.
"Manufacturers need to find a way to do firmware updates, and make sure to advertise them," Mulliner said.