Wednesday, December 31, 2008

“Curse of Silence” exploit prevents Nokia S60 phones from receiving SMS/MMS

A serious vulnerability for Nokia phones has been unveiled today which blocks all incoming messages, whether it be in the form of SMS or MMS. It is considered to be a “Remote SMS/MMS Denial of Service” and is called the “Curse Of Silence.”

If the name isn’t enough to convince you just how bad this exploit really is, consider this: it can be carried out with the use of a simple, carefully tweaked SMS to any S60-based Nokia phone. Yes, including S60 2.6, 2.8, and 3.0, as well as S60 3.1 devices. The only way to fix it is via hard reset.

The summary of the exploit is as follows:

Emails can be sent via SMS by setting the messages Protocol Identifier
to “Internet Electronic Mail” and formatting the message like this:

If such messages contain an with more than 32
characters, S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive
other SMS or MMS messages anymore. 2.6 and 3.0 devices lock up after
only one message, 2.8 and 3.1 devices after 11 messages.

Who would’ve thought such a vulnerability actually exists? One day, you might wake up not being able to receive any messages on your phone, without knowing that it’s not because of any hardware or software defect, but because of this exploit. A video demonstrating the “Curse of Silence” is available below:

Curse of Silence via Hack a day and