Today, at the DefCamp Security Conference in Bucharest, Romania, details were revealed about a potentially serious SMS vulnerability found in all current Nexus phones. The person responsible for the discovery is Bogdan Alecu, a system administrator at Levi9 and independent security researcher in Romania. When exploited, the attack can force the phone to reboot or destabilize certain services.
The method of attack simply relies on sending a series of Class 0 "Flash" messages to the target phone. Flash messages are typically used for emergency or security purposes, appearing on the screen immediately instead of going to the default SMS application. When such a message arrives, no sounds are made but the background is dimmed and a single dialog box appears on top. Once 20-30 messages pile up, assuming the user isn't clearing them, it overloads the system and leads to a few potential side-effects. Most commonly, the result is an unresponsive device or an immediate reboot, but the Messages app or cellular radio may occasionally crash or freeze up in some instances.
In the event that the cellular radio crashes, it may have some more serious consequences. If a target has their SIM locked with a PIN code, the phone will not be able to reconnect until the code is entered. From time to time, it's also possible for the cellular radio to seize up, which can only be fixed by restarting the device. This is problematic because there are no audible prompts and the malfunction won't be seen until the owner unlocks their screen, leaving them without service for potentially several hours.
Alecu first notified The Android Security Team to the issue over a year ago, but initially received only automated responses. Continued efforts were mostly unsuccessful, leading to the decision to disclose the vulnerability publicly. To mitigate potential threats, he collaborated with Michael Mueller to develop Class0Firewall, an app designed to protect from Class 0 messages if they reach the threshold of becoming a denial-of-service attack.
Bogdan notes that the current attack is only capable of destabilizing a phone, but theorizes that it might be possible to force remote code execution.
Based on limited testing with devices from various vendors, the vulnerability appears to only affect the Nexus line running on all versions of stock Android through to the current release of KitKat. None of the OEM variants checked were susceptible to the attack. Hopefully the publicity will prompt Google to release a patch to block the issue as quickly as possible. Even if a fix is rolled out, it's not entirely clear if the Galaxy Nexus will receive it now that it is no longer getting OS updates. Ideally, the patch will be ported back to Android 4.3 and a security release will be made for the 2-year-old phone.
Thanks, Bogdan Alecu!