A recently discovered denial-of-service attack, which can cripple text message capabilities on some Nokia smartphones, could be just the beginning of a new wave of mobile attacks, according to a Fortinet Inc. security researcher.
At last month’s Chaos Communication Congress in Berlin, German security researcher Tobias Engel unveiled the “Curse of Silence” attack, a maliciously crafted text message that deactivates a cell phone’s ability to receive SMS or MMS messages. Potentially vulnerable devices include versions 2.6 through 3.1 of Symbian Series 60 Nokia smartphones.
For version 2.8 and 3.1 users, the software will warn of memory problems after being infected by a malformed message and eventually fail after 11 such messages, according to Engel. For users running version 2.6 and 3.0 of the software, phones will lose the ability to receive SMS and MMS after just one malicious text message.
Engel added that an infected phone must be factory-reset in order to receive text messages.
But while this might only be a nuisance for a select group of Nokia customers right now, it also marks the beginning of a potentially dangerous trend – and one that will almost certainly affect other handset brands.
Derek Manky, a security researcher at Fortinet’s Canadian office in Burnaby, B.C., said that while the “Curse of Silence” attack is disrupting, it’s still represents a fairly immature mobile attack.
“From my point-of-view, what we’re going to starting seeing is mobile threats going down the same path that malware did on your desktop PC,” he said.
Manky pointed to the Beselo mobile virus, discovered in January 2008, which sent MMS files to users under such filenames as .jpg or .mp3. Hiding the virus with these attractive filename extensions is an age old trick for PC hackers, he said, that will most likely become more common in the coming year in mobile attacks.
While the Beselo attacks collected phone numbers and other address book information for the purposes of spamming, Manky said that hackers will increasingly be looking for more direct ways to profit from mobile attacks. With the attacks seen thus far, he said, users would have the nuisance of getting high bills from sending out automated text messages.
“But once hackers start opening the same doors that we’ve seen on PCs, we’ll start to encounter things like keylogging and banking Trojans,” he added.
“With everything going to mobile platforms because of convenience, users without access to a computer are paying their bank bills while on the road,” Manky said. “If you’re browsing one of those vulnerable Web sites and you have a Trojan installed on your computer, you’re account information can be compromised.”
IT managers might also want to take note, he added, as employees might soon be walking around and connecting to company data with vulnerable phones – although this might still be a few years away.
But with new mobile operating systems like Palm Web OS, iPhone OS, and Google Android just released over the last few years, hackers will certainly have a lot of material to choose from to find vulnerabilities.
With Android especially, you’re going to see a wider variety of Web browsers being used, so it’s not just the smartphones themselves as the vulnerability, Manky said. “We’re seeing a lot more Web-based threats nowadays.”
“What we can expect in 2009 and 2010, with the integration of the Web vulnerabilities, is an attack vector that IT departments should certainly be concerned about.”
For users concerned about the “Curse of Silence” attack, Fortinet’s FortiGuard security team is providing free licenses of its FortiCleanUp tool for users to protect their mobile devices against the attack or to recover from it by removing the malicious SMS messages that have already struck.