One can hack Nokia phones by just sending a SMS, seems devilish
isn’t it? Although this vulnerability was found more than an year ago exposed by AnsariTrixs.com, I
recently tried it and found it working in many sets. The vulnerability dubbed as “
Curse of Silence”
affects all Nokia Symbian 60/Series 60 devices and allows for remote
SMS/MMS Denial of Service.One can send a specially crafted sms to
lockup/crash any Series 60 device.
What is Required ?
- MSISDN of the target.
- A Mobile phone service provider which allows sending of SMS messages (Airtel in my case)
- (Almost) any Nokia phone (or some other means of sending SMS messages with TP-PID set to “Internet Electronic Mail” )
Risk Levels
Although the vulnerability is spread across many versions of S60
platform,the Risk level is quite high for (for S60 2.6 and 3.0
devices)as upon attack,the target will not be able to receive any SMS or
MMS messages until the device is Factory Resetted and Medium for S60
2.8 and 3.1 devices as upon Ddos attack,the target will not be able to
receive any SMS or MMS messages while the attack is ongoing. After that,
only very limited message receiving is possible until the device is
Factory Resetted.
The Attack
One can send an email using an sms by setting the messages Protocol
Identifier to “Internet Electronic Mail” and formatting the message like
this:
<email-address><space><message body>
The simplest attack will be –
123456789@123456789.1234567890123
If such messages contain an <email-address> with more than 32
characters, S60 2.6, 2.8, 3.0 and 3.1 devices fail to display the
message or give any indication on the user interface that such a message
has been received. They do,however, signal to the SMS Career that they
have received the message.
Devices running S60 2.6 or 3.0 will not be able to receive any other SMS
message after that. The user interface does not give any indication of
this situation. The only action to remedy this situation seems to be a
Factory Reset of the device (
by entering “*#7370#” ) or using a Vulcan Death Grip.
Devices running S60 2.8 or 3.1 react a little different: They do not
lock up until they received at least 11 SMS-email messages with an email
address that is longer than 32 characters after that the device will
not be able to receive any other SMS message and the phone will just
display a warning that there is not enough memory to receive further
messages and that data should be deleted first. This message is even
displayed on an otherwise completely “
empty” device.
After switching the phone off and on again, it has limited capability
for receiving SMS messages again: If it receives a SMS message that is
split up into several parts it is only able to receive the first part
and will display the “
not enough memory” warning again. After
powercycling the device again, it can then receive the second part. If
there is a third part, it has to be powercycled again, and so on.
Also, an attacker now just needs to send one more “
Curse Of Silence”
message to lock the phone up again. By always sending yet another one
as soon as the status report for delivery of the previous message is
received, the attacker could completely prevent a target from receiving
any other SMS/MMS messages.
Only Factory Resetting the device will restore its full message
receiving capabilities. Note that, if a backup is made using Nokia
PC-Suite *after* being attacked, the blocking messages are also backuped
and will be sent to the device again when restoring the backup after
the Factory Reset.
Detailed List of affected phones
Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable
component is a S60 base functionality, it seems safe to assume that all
devices with these OS versions are affected. I short if you own one of
these,you are rounded unless u have a firmware upgrade/fix release by
Nokia which fixes this attack.
S60 3rd Edition, Feature Pack 1 (S60 3.1)
- Nokia E90 Communicator
- Nokia E71
- Nokia E66
- Nokia E51
- Nokia N95 8GB
- Nokia N95
- Nokia N82
- Nokia N81 8GB
- Nokia N81
- Nokia N76
- Nokia 6290
- Nokia 6124 classic
- Nokia 6121 classic
- Nokia 6120 classic
- Nokia 6110 Navigator
- Nokia 5700 Xpress Music
S60 3rd Edition, initial release (S60 3.0)
- Nokia E70
- Nokia E65
- Nokia E62
- Nokia E61i
- Nokia E61
- Nokia E60
- Nokia E50
- Nokia N93i
- Nokia N93
- Nokia N92
- Nokia N91 8GB
- Nokia N91
- Nokia N80
- Nokia N77
- Nokia N73
- Nokia N71
- Nokia 5500
- Nokia 3250
S60 2nd Edition, Feature Pack 3 (S60 2.8)
- Nokia N90
- Nokia N72
- Nokia N70
S60 2nd Edition, Feature Pack 2 (S60 2.6)
- Nokia 6682
- Nokia 6681
- Nokia 6680
- Nokia 6630
