228 lines
No EOL
6.9 KiB
Text
228 lines
No EOL
6.9 KiB
Text
Vulnerability Advisory
|
|
======================
|
|
|
|
Remote SMS/MMS Denial of Service - "Curse Of Silence"
|
|
for Nokia S60 phones
|
|
|
|
|
|
URL
|
|
===
|
|
|
|
https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-advisory.txt
|
|
|
|
|
|
Video
|
|
=====
|
|
|
|
https://berlin.ccc.de/~tobias/cos/s60-curse-of-silence-demo.avi
|
|
|
|
|
|
Affected Products
|
|
=================
|
|
|
|
All Nokia Series60 2.6, 2.8, 3.0, 3.1 devices, see detailed list at
|
|
the end of the document.
|
|
|
|
|
|
Requirements to Execute Attack
|
|
==============================
|
|
|
|
- MSISDN of the target
|
|
- mobile phone contract that allows sending of SMS messages
|
|
- (almost) any Nokia phone (or some other means of sending SMS
|
|
messages with TP-PID set to "Internet Electronic Mail")
|
|
|
|
|
|
Risk Level
|
|
==========
|
|
|
|
Medium (for S60 2.8 and 3.1 devices): Target will not be able to
|
|
receive any SMS or MMS messages while the attack is ongoing. After
|
|
that, only very limited message receiving is possible until the device
|
|
is Factory Resetted
|
|
|
|
High (for S60 2.6 and 3.0 devices): Target will not be able to receive
|
|
any SMS or MMS messages until the device is Factory Resetted
|
|
|
|
|
|
Summary
|
|
=======
|
|
|
|
Emails can be sent via SMS by setting the messages Protocol Identifier
|
|
to "Internet Electronic Mail" and formatting the message like this:
|
|
|
|
<email-address><space><message body>
|
|
|
|
If such messages contain an <email-address> with more than 32
|
|
characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive
|
|
other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after
|
|
only one message, 2.8 and 3.1 devices after 11 messages.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
3GPP TS 23.040 specifies a method for sending emails via SMS in
|
|
section 3.8 ("SMS and Internet Electronic Mail interworking"). In its
|
|
most basic form, such a SMS message starts with the from- (MT-SMS) or
|
|
to-email-address (MO-SMS), followed by a space character, and then the
|
|
message body. The TP-Procotol-Identifier of the SMS message has to be
|
|
set to "Internet Electronic Mail" (value: 50 / 0x32).
|
|
|
|
It is not specified how such a message should be displayed when
|
|
received by the phone. Before S60 2.6, Series60 devices displayed such
|
|
messages exactly as they were sent. Starting with S60 2.6, when the
|
|
part of the message that should contain the from-address looks
|
|
anything like an email address (i.e. it contains an "@" somewhere),
|
|
this address is then displayed as the message sender instead of the
|
|
usually shown TP-Originating-Address.
|
|
|
|
If this email address is longer than 32 characters, Series60 2.6, 2.8,
|
|
3.0 and 3.1 devices fail to display the message or give any indication
|
|
on the user interface that such a message has been received. They do,
|
|
however, signal to the SMSC that they received the message by sending
|
|
an RP-ACK.
|
|
|
|
Devices running S60 2.6 or 3.0 will not be able to receive any other
|
|
SMS message after that. The user interface does not give any
|
|
indication of this situation. The only action to remedy this situation
|
|
seems to be a Factory Reset of the device (by entering "*#7370#").
|
|
|
|
Devices running S60 2.8 or 3.1 react a little different: They do not
|
|
lock up until they received at least 11 SMS-email messages with an
|
|
email address that is longer than 32 characters. The device will not
|
|
be able to receive any other SMS message after that - upon receiving
|
|
the next message, the phone will just display a warning that there is
|
|
not enough memory to receive further messages and that data should be
|
|
deleted first. This message is even displayed on an otherwise
|
|
completely "empty" device.
|
|
|
|
After switching the phone off and on again, it has limited capability
|
|
for receiving SMS messages again: If it receives a SMS message that is
|
|
split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated
|
|
Short Messages) it is only able to receive the first part and will
|
|
display the "not enough memory" warning again. After powercycling the
|
|
device again, it can then receive the second part. If there is a third
|
|
part, it has to be powercycled again, and so on.
|
|
|
|
Also, an attacker now just needs to send one more "Curse Of Silence"
|
|
message to lock the phone up again. By always sending yet another one
|
|
as soon as the status report for delivery of the previous message is
|
|
received, the attacker could completely prevent a target from
|
|
receiving any other SMS/MMS messages.
|
|
|
|
Only Factory Resetting the device will restore its full message
|
|
receiving capabilities. Note that, if a backup is made using Nokia
|
|
PC-Suite *after* being attacked, the blocking messages are also
|
|
backuped and will be sent to the device again when restoring the
|
|
backup after the Factory Reset.
|
|
|
|
Note that not being able to receive SMS messages also means not being
|
|
able to receive MMS messages, since they are signalled by sending an
|
|
SMS message to the device.
|
|
|
|
"Curse Of Silence" messages can be generated with any phone or
|
|
cellular modem that supports 3GPP TS 27.005 AT commands and with most
|
|
Nokia phones also directly from the user interface. For example, on
|
|
S60 devices, when in the message editor, the type of the message can
|
|
be switched to "E-mail" under "Options" -> "Sending options" ->
|
|
"Message sent as". The 6310i conveniently offers a "Write email" menu
|
|
entry in the messaging menu.
|
|
|
|
The simplest form of content for a Curse Of Silence would be something
|
|
like "123456789@123456789.1234567890123 " (the digits are used only to
|
|
illustrate the length of the "email address" of more than 32
|
|
characters). Note the space at the end of the message!
|
|
|
|
|
|
Workaround
|
|
==========
|
|
|
|
None known for the user side.
|
|
|
|
Until a firmware fix is available, network operators should filter
|
|
messages with TP-PID "Internet Electronic Mail" and an email address
|
|
of more than 32 characters or reset the TP-PID of these messages to 0.
|
|
|
|
|
|
Credits
|
|
=======
|
|
|
|
Tobias Engel <tobias@ccc.de>
|
|
November 9, 2008
|
|
|
|
Many thanks to Frank Rieger for spending countless hours cutting and
|
|
editing the video.
|
|
|
|
|
|
Detailed List of Affected Products
|
|
==================================
|
|
|
|
Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable
|
|
component is a S60 base functionality, it seems safe to assume that
|
|
all devices with these OS versions are affected.
|
|
|
|
S60 3rd Edition, Feature Pack 1 (S60 3.1):
|
|
Nokia E90 Communicator
|
|
Nokia E71
|
|
Nokia E66
|
|
Nokia E51
|
|
Nokia N95 8GB
|
|
Nokia N95
|
|
Nokia N82
|
|
Nokia N81 8GB
|
|
Nokia N81
|
|
Nokia N76
|
|
Nokia 6290
|
|
Nokia 6124 classic
|
|
Nokia 6121 classic
|
|
Nokia 6120 classic
|
|
Nokia 6110 Navigator
|
|
Nokia 5700 XpressMusic
|
|
|
|
S60 3rd Edition, initial release (S60 3.0):
|
|
Nokia E70
|
|
Nokia E65
|
|
Nokia E62
|
|
Nokia E61i
|
|
Nokia E61
|
|
Nokia E60
|
|
Nokia E50
|
|
Nokia N93i
|
|
Nokia N93
|
|
Nokia N92
|
|
Nokia N91 8GB
|
|
Nokia N91
|
|
Nokia N80
|
|
Nokia N77
|
|
Nokia N73
|
|
Nokia N71
|
|
Nokia 5500
|
|
Nokia 3250
|
|
|
|
S60 2nd Edition, Feature Pack 3 (S60 2.8):
|
|
Nokia N90
|
|
Nokia N72
|
|
Nokia N70
|
|
|
|
S60 2nd Edition, Feature Pack 2 (S60 2.6):
|
|
Nokia 6682
|
|
Nokia 6681
|
|
Nokia 6680
|
|
Nokia 6630
|
|
|
|
|
|
Change History
|
|
==============
|
|
|
|
December 30, 2008:
|
|
Removed auth details since they are no longer required
|
|
|
|
December 21, 2008:
|
|
Corrected version numbers for S60 2nd Edition
|
|
|
|
December 13, 2008:
|
|
S60 2.8 devices react like S60 3.1 devices, not like S60 2.6 or 3.0
|
|
devices
|
|
|
|
# milw0rm.com [2009-01-01] |