Collin Mulliner and Nico Golde gave a very interesting SMS DOS presentation at the 27th Choas Communication Congress. The just of it is that “feature phones,” cheaper, less-feature-rich phones sold by providers, as opposed to “smart phones” can accept and execute certain binary code from incoming SMS text messages. Networks often use this functionality to roll out configuration changes to their subscribers. By properly crafting the right message based on the phone manufacturer, these phones can be made to disconnect from their respective wireless network.
What’s interesting is that of the 5-6 billion estimated world-wide mobile phone users, around 16% use “smart phones.” That leaves a good portion of those phones, world-wide, that are likely vulnerable to this type of attack. The presenters looked up various mobile feature phone manufactures based on their market-share per global region. They then took the top 5 manufactures by market-share and bought test phones cheaply on eBay. By creating attack vector’s for each manufacturer, they ensured that a quick burst of 5 SMS messages had a high likelihood of success against a given mobile phone number. While DOS is not the biggest threat facing most organizations, depending on context of course, this certainly has the possibility of disrupting communications for organizations that utilize vulnerable feature phones to any significant extent.
There are a multitude of websites that allow anonymous internet users to send SMS messages to any phone number. What input validation and other security controls are in place, I do not know. Organizations also often get blocks of mobile phone numbers or even just a set of numbers with the same area code and prefix, which means if an attacker knows one number they have a high probability of easily guessing other valid mobile numbers for that same organization.
Reflecting from the recent attacks by WikiLeaks supporters against organizations that were alleged to have shunned or otherwise harmed WikiLeaks, this got me thinking. Tools such as Low Orbit Ion Cannon were set up with predetermined targets on sites around the world so that unskilled WikiLeaks supporters could contribute to DDOS attacks with a single click. It would be pretty easy to do the same thing but target mobile feature phones using widely available downloadable executables, simple off-site form submissions, integrating it into botnets, smart phone applications, or even using browser technologies like Java Applets, SilverLight, or Flash.