29
Nov
unnamed

Today, at the DefCamp Security Conference in Bucharest, Romania, details were revealed about a potentially serious SMS vulnerability found in all current Nexus phones. The person responsible for the discovery is Bogdan Alecu, a system administrator at Levi9 and independent security researcher in Romania. When exploited, the attack can force the phone to reboot or destabilize certain services.

2013-11-29_10-53-59

The method of attack simply relies on sending a series of Class 0 "Flash" messages to the target phone. Flash messages are typically used for emergency or security purposes, appearing on the screen immediately instead of going to the default SMS application. When such a message arrives, no sounds are made but the background is dimmed and a single dialog box appears on top. Once 20-30 messages pile up, assuming the user isn't clearing them, it overloads the system and leads to a few potential side-effects. Most commonly, the result is an unresponsive device or an immediate reboot, but the Messages app or cellular radio may occasionally crash or freeze up in some instances.

In the event that the cellular radio crashes, it may have some more serious consequences. If a target has their SIM locked with a PIN code, the phone will not be able to reconnect until the code is entered. From time to time, it's also possible for the cellular radio to seize up, which can only be fixed by restarting the device. This is problematic because there are no audible prompts and the malfunction won't be seen until the owner unlocks their screen, leaving them without service for potentially several hours.

Alecu first notified The Android Security Team to the issue over a year ago, but initially received only automated responses. Continued efforts were mostly unsuccessful, leading to the decision to disclose the vulnerability publicly. To mitigate potential threats, he collaborated with Michael Mueller to develop Class0Firewall, an app designed to protect from Class 0 messages if they reach the threshold of becoming a denial-of-service attack.

Bogdan notes that the current attack is only capable of destabilizing a phone, but theorizes that it might be possible to force remote code execution.

Based on limited testing with devices from various vendors, the vulnerability appears to only affect the Nexus line running on all versions of stock Android through to the current release of KitKat. None of the OEM variants checked were susceptible to the attack. Hopefully the publicity will prompt Google to release a patch to block the issue as quickly as possible. Even if a fix is rolled out, it's not entirely clear if the Galaxy Nexus will receive it now that it is no longer getting OS updates. Ideally, the patch will be ported back to Android 4.3 and a security release will be made for the 2-year-old phone.

Thanks, Bogdan Alecu!

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • soy

    Not the end of the world really is it plus you would hear the phone rebooting anyway

  • Testraindrop

    Lets see how long it takes the custom ROM scene to deliver a patch...

    Good thing I don't have to wait for Google :)

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Kinda what I was thinking. Of course, there's been more people sticking to stock in the last year or so.

      Either way, this issue should have been resolved a while ago. It sounds like a forgotten/ignored function that nobody wanted to take the time to clean up.

    • Björn Lundén
  • AOSPrevails

    Given there is a firewall app out here, I am not too concerned about it. Thanks to Bodgan for discovering this exploit and a app to protect us. I am still disappointed with how Google treated his notification without urgency or even attention.

    • Darkbotic

      Google always ignores important bugs. Just go to http://b.android.com and you'll find a whole list of bugs that have been reported over 2 years ago and are still ignored by the Android team.

  • http://attackoftheandroids.com/ Mat Lee

    I wonder if text secure prevents this.

  • dani

    With all these bugs in Android 4.4 and Nexus 5 reported almost on a daily basis, I am eagerly waiting for some software fixes from Google.

    • me

      What bugs ? I have no issues . 4.4 is best build to date . n7 , n7 2013 , n4 .n5 , n10 . shit my gnex port even working flawless .

      • thedosbox

        Is it really that difficult to read through the androidpolice archives? I can think of two issues that have been reported - exchange connectivity and speaker quality.

  • Spasillium

    Holy shit what song is that in the first video!?

    • usamaisawake

      "Stay Alive" by Wasted Penguinz

      • Spasillium

        Thank you! :D

  • andy_o

    He also sells an app that can send those flash SMS, that normally "only carriers can". And there, he says

    DONT USE THIS APP FOR EVIL! ACT RESPONSIBLE LIKE A HACKER, NOT LIKE A CRACKER OR SKIDDIE!

    Yeah, tha'ts gonna happen.

  • Andres Schmois

    Does anyone else notice the first video not appearing to be kitkat styled ui? Why does it look very gingerbread-y?

    • http://shanked.me/ Shank

      My guess is that the layer that handles flash messages simply hasn't been touched since gingerbread. CMAS probably replaced most of the use cases carriers would have had for flash messages anyway.

    • Bogdan Alecu

      It is kitkat, on the second one it's Android 4.2

      • Andres Schmois

        I know it's kitkat, I was just surprised to see old non-holo layouts. Shank answered my question though :)

  • RL010

    Let me Guess they also sell anti virus and firwall apps for android

  • mikeym0p

    This is even more reason for Google to include Hangouts on their phones. Could it be they ignored it as a leap of faith towards Hangouts??