Saturday, November 30, 2013

Google Nexus smartphones susceptible to SMS-based denial-of-service attack

Usually, the term "denial-of-service attack" is linked with the word "distributed" as in "distributed denial-of-service attack" or DDOS, and is a method by which a group of attackers can take down a website. However, Black Friday 2013 was really black for Google, as a method of attacking Google Nexus phones was discovered and publicized (via PC World) by a Dutch IT services company's system administrator.

Bogdan Alecu, a system administrator at Dutch IT services company Levi9, said that attackers could perform a sort of DOS attack on Nexus phones, causing them to reboot or fail to connect to the mobile network by sending a large number of special SMS messages (Class 0 SMS, or Flash SMS) to them. Alecu presented the vulnerability on Friday at the DefCamp security conference in Bucharest, Romania.

Reportedly, the issue affects all Android 4.x firmware versions on the Google Galaxy Nexus, Nexus 4 and Nexus 5. These phones were built by various manufacturers (Galaxy Nexus = Samsung, Nexus 4 and 5 = LG); the Galaxy Nexus cannot be upgraded past Android 4.3, while the other two devices can be upgraded to KitKat, or 4.4.

The earlier Nexus One cannot be upgraded past Android 2.3, and the Nexus S was not mentioned, despite being upgradeable to 4.1.

Class 0 SMS, or Flash SMS, is a specific type of SMS message defined in the GSM specification. This type of message is displayed directly on the phone's screen and is not automatically stored on the device. After a user reads such a message, they have the option to either dismiss or save it.

The issue occurs when a large number of Flash SMS messages are received by a Nexus phone, one "on top" of another. On a Nexus phone, a Flash SMS message is displayed on top of all active windows and is surrounded by "a semi-transparent black overlay that has a dimming effect on the rest of the screen." The problem is that if earlier messages are not dismissed or saved, follow-up messages are placed on top of the earlier ones and the dimming effect is increased.

Significantly, this can be done without alerting an end user, as there is no audio notification, even if the device is configured to notify for regular incoming SMS messages. Thus, users will not be alerted unless they look at their phone.

Alecu discovered that when a large number of Flash SMS messages -- about 30, he reported -- are received and are not dismissed, Nexus devices react in strange ways. One of the three was has only a temporary effect:
The most common behavior is that the phone reboots, he said. In this case, if a PIN is required to unlock the SIM card, the phone will not connect to the network after the reboot and the user might not notice the problem for hours, until they look at the phone. During this time the phone won't be able to receive calls, messages or other types of notifications that require a mobile network connection.

According to Alecu, a different behavior that happens on rare occasions is that the phone doesn't reboot, but temporarily loses connection to the mobile network. The connection is automatically restored and the phone can receive and make calls, but can no longer access the Internet over the mobile network. The only method to restore the data connection is to restart the phone, Alecu said.

On other rare occasions, only the messaging app crashes, but the system automatically restarts it, so there is no long term impact.
Alecu said he reported the issue to Google, but -- until July -- he mostly received automated responses. In July, someone from the Android Security Team told him the issue would be fixed in Android 4.3, but it wasn't, Alecu said.

This, Alecu said, contributed to his decision to disclose the problem publicly. A Google representative said via email:
We thank him for bringing the possible issue to our attention and we are investigating.
It is unclear if the issue affects only stock Android builds, or if it will fail similarly on builds with Sense UI (HTC), TouchWiz (Samsung), or any other OEM customized build.

No comments: