Because of security weaknesses in mobile telecom standards, criminals may be able to force mobile phones to send premium-rate SMS messages or prevent them from receiving messages.
The weakness involves the handling of messages directed toward SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications work for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.
SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages process without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.
The encryption scheme deployed is robust but problems might arise because error messages automatically go out if it cannot execute a command. The SIM Toolkit service message can come together so responses made via SMS go to a sender’s number or to the operator’s message center. This creates two possible attack scenarios.
In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.
Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number can only sign up people to its services in response to properly formatted requests rather than any old message.
In the second case, a SIM Toolkit error message goes to the operator’s message center, and looks like a message delivery failure. Operators usually attempt to resend the undelivered message: Creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.
Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming.
Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However, the option “Confirm SIM Service Actions” usually ends up disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France.
Alecu reported the vulnerability to the Computer Emergency Response Team and a vulnerability number is ready, but there are no details on when a fix might be available.