rss

The Curse Of Silence

Tuesday, March 2, 2010

A serious vulnerability for Nokia phones has been unveiled. This vulnerability blocks all incoming messages, whether it be in the form of SMS or MMS. It is considered to be a "Remote SMS/MMS Denial of Service" and is called the "Curse Of Silence".

If the name isn’t enough to convince you just how bad this exploit really is, consider this: One day, you might wake up not being able to receive any messages on your phone. Probably you will think the problem is a hardware or software defect, but in the end it's just because of this exploit.

This vulnerability can be explored by sending a simple, carefully tweaked SMS to any S60-based Nokia phone. Furthermore, the user interface does not give any indication of this situation.

How it really works

Emails can be sent via SMS by setting the messages Protocol Identifier to "Internet Electronic Mail" and formatting the message like this:

<email-address><space><message body>

If such messages contain an <email-address> with more than 32 characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after only one message, 2.8 and 3.1 devices after 11 messages.

The simplest way to perform this attack is to write a SMS containing "123456789@123456789.1234567890123 " (the digits are used only to illustrate the length of the "email address" of more than 32 characters) to the target device. Note the space at the end of the message!

Don't forget, you need to send a SMS with the type set to E-Mail (0x50). For example, on S60 devices, when in the message editor, the type of the message can be switched to "E-mail" under "Options" -> "Sending options" -> "Message sent as". The 6310i conveniently offers a "Write email" menu entry in the messaging menu.

Workarounds

The only action to remedy this situation from user side seems to be the installation of small application created by Nokia or a Factory Reset of the device (by entering "*#7370#").

Furthermore, some network operators may also filter messages with TP-PID "Internet Electronic Mail" and an email address of more than 32 characters or reset the TP-PID of these messages to 0.

Detailed List of Affected Products

S60 3rd Edition, Feature Pack 1 (S60 3.1):
Nokia E90 Communicator
Nokia E71
Nokia E66
Nokia E51
Nokia N95 8GB
Nokia N95
Nokia N82
Nokia N81 8GB
Nokia N81
Nokia N76
Nokia 6290
Nokia 6124 classic
Nokia 6121 classic
Nokia 6120 classic
Nokia 6110 Navigator
Nokia 5700 XpressMusic

S60 3rd Edition, initial release (S60 3.0):
Nokia E70
Nokia E65
Nokia E62
Nokia E61i
Nokia E61
Nokia E60
Nokia E50
Nokia N93i
Nokia N93
Nokia N92
Nokia N91 8GB
Nokia N91
Nokia N80
Nokia N77
Nokia N73
Nokia N71
Nokia 5500
Nokia 3250

S60 2nd Edition, Feature Pack 3 (S60 2.8):
Nokia N90
Nokia N72
Nokia N70

S60 2nd Edition, Feature Pack 2 (S60 2.6):
Nokia 6682
Nokia 6681
Nokia 6680
Nokia 6630