The latest news is of a more technical nature, but it outlines ways in which cybercrooks may well be able to send out premium-rate SMS messages without the handset owner knowing due to weaknesses in the actual standard.

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.

It seems to be a theoretical attack right now, but seen as though it’s a flaw with the way the standard works (and it’s implemented this way on literally millions of phones) it could become a major issue.

I would imagine it’s something vendors can fix on future handsets they sell, or on previous handsets via a firmware update – but that wouldn’t cover everyone.

In all likelihood however, I see the most likely ath would be it stats as a purely theoretical attack.

In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator’s message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option “Confirm SIM Service Actions” is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports

The SIM DoS attack is fairly interesting as it could prevent a user from receiving legitimate SMS responses almost indefinitely. There are various ways to mitigate against the attack and it seems like Nokia has the most secure handset as of now – even though the option to prevent these attacks is turned off by default – at least they have the option.

The other way is to get the service providers to filter out the messages and use a whitelist for legitimate SIM Toolkit messages – I don’t think that’s very likely though.

Source: The Register

The latest news is a few million Chinese Internet users had trouble accessing any websites yesterday due to a DDoS attack on the DNS system from one of the countries registrars.

It just shows that China has an inherently weak infrastructure if such a large portion of people can be disrupted with an attack to a single location.

I guess the users haven’t heard of OpenDNS either, or perhaps they can’t use it because it’s blocked by the ‘Great Firewall of China‘.

An attack on the servers of a domain registrar in China caused an online video application to cripple Internet access in parts of the country late on Wednesday.

Internet access was affected in five northern and coastal provinces after the DNS (domain name system) attack, which targeted just one company but caused unanswered information requests to flood China’s telecommunications networks, China’s IT ministry said in a statement on its Web site. The DNS is what computers use to find each other on the Internet.

The incident revealed holes in China’s DNS that are “very strange” for such a big country, said Konstantin Sapronov, head of Kaspersky’s Virus Lab in China.

The problems started when registrar DNSPod’s DNS servers were targeted with a DDOS (distributed denial of service) attack, described by the company in an online statement. In such an attack, the attacker orders a legion of compromised computers to try to communicate with a server all at once, which overwhelms the server and crushes its ability to return requests for information.

A DoS attack on the root domain servers of any organisation is always one of the most effective as you don’t have to saturate a large pipe, you just have to make the machine max out it’s CPU/RAM so it can’t serve any more requests.

It’s much better than trying to take a corporate network offline by filling up their main line. Targeted attacks are always the most effecient.

Internet access returned to normal in the late night several hours later, according to the government statement.

China had almost 300 million Internet users at the end of last year, according to the country’s domain registry agency, and streaming online video is as popular among young people as it is in Western countries.

The event, the first of its kind in China, suggests the country needs to improve its rules managing the DNS, said Zhao Wei, CEO of Knownsec, a Beijing security firm.

The original attack transformed into a regional DNS jam essentially because Baofeng is so popular, said Zhao.

Such programs may need smarter code, which could instruct them to withdraw DNS requests that go unanswered, he said. The way unanswered requests are redirected to higher-level servers could also be changed, Zhao said.

An interesting point is that the registrar that was attacked hosted the DNS for the very popular video streaming site Baofeng – the traffic was so high for this site that that unanswered DNS requests turned into another traffic jam having the effective of multiplying the original DDoS attack.

I’m guessing this was an unintended side effect, but it worked out well for the attackers.

Source: PCWorld

As with the UK, many phones in the US are sold under contract and are given at very discounted rates or even free in some cases if you sign a contract for year withe service provider.

Before that it was illegal to unlock your phone but finally in November 2006 it came out in court that it’s ok now.

Most cell phones in the United States are purchased as part of a service plan. The phone itself is cheap or free, but it must be bought as part of a one-year or two-year service contract. Phones can also be purchased separately, but are often hundreds of dollars more expensive then the phones that come with service plans. This is because phone companies take a loss on the phone up front and hope to make up that loss over the life of the contract in monthy fees.

Nearly all of the phones purchased as part of a service plan (and even some that are purchased separately) are SIM locked to only work with that phone companies network. The phone’s software will reject SIM cards from competing phone networks. Phones bought from T-Mobile only work with T-Mobile, phones bought from Cingular only work with Cingular, etc. This way the phone company can be certain that a customer is stuck and they will make back their investment.

The fact is the protection was frequently broken and many people were unlocking their owns anyway. The US made a smart decision this time to legitimize the dodgy unlocking market and make it straight forward. It also gives the consumers back the rights they should have anyway.

Yesterday, the Library of Congress announced six new exceptions to DMCA rules. Among those was the declaration that breaking SIM locks will not be considered a DMCA violation starting on Monday:

5. Computer programs in the form of firmware that enable wireless telephone handsets to connect to a wireless telephone communication network, when circumvention is accomplished for the sole purpose of lawfully connecting to a wireless telephone communication network.

Library of Congress Rulemaking Statement

This has the potential to legitimize the shady market of cell phone unlockers. It also has the potential to change how cell phone companies do business. If awareness of these rules spreads and legitimate cell phone unlocker services appear, the current cell phone business model might not make as much sense. It is also likely to further frustrate “pay as you go” cell phone providers who have been trying to stop resellers who purchase their phones and then sell them overseas for a profit.

So please, feel free to and unlock your phone, it’s no longer a DMCA violation!

Source: Uninnovate

I have to agree with their sentiment, I’m all for open hardware standards.

Even if you don’t open it, people will copy it anyway (See the mass of Cisco knock-offs in China for a fraction of the price with almost exactly the same functions and IOS)

So why not open it, let us play with it.

At least let us know how the hardware we are paying for works.

The following webpage contains ROM images from various mobile phone operating systems. Our intention is to motivate other reverse engineers to take a look at the images and to discover other hidden secrets. Other reasons are that it is said to be hard to extract the ROM. Certainly another reason is that Nokia does not release any technical information about the hardware and I find this rather disappointing. (It’s my strong believe that when I buy hardware that I should also be allowed to know what’s in it and how to use it.)

There are ROM images from various models such as NOKIA 6630, NOKIA n70, NOKIA N-GAGE and also from SE the SonyEricsson P900 ROM image.

Mobile Phone ROM Image and Reverse Engineering Invitation

The FCC wants to clamp down on Caller ID spoofing it seems.

If you’ve ever used one of the half-dozen websites that allow you to control the phone number that appears on someone’s Caller ID display when you phone them, the U.S. government would like to know who you are.

Last week the FCC opened an investigation into the caller-ID spoofing sites — services that began popping up late 2004, and have since become a useful tool for private investigators, pranksters and more than a few fraud artists.

One of the example services that received the 7 page FCC report is called Telespoof.

On their website it says..

Telespoof.com offers the first domestic and international Caller ID spoofing service, allowing business professionals to remain anonymous when calling from anywhere in the world, to anywhere in the world. We like to think of it as “mobile invisibility”, the highest quality Caller spoofing service available anywhere in the world.

Another example is Spoofcard.com that sells a virtual ‘calling card’ for $10 that provides 60 minutes of talk time. The user dials a toll-free number, then keys in the destination number and the Caller ID number to display. The service also provides optional voice scrambling, to make the caller sound like someone of the opposite sex.

USA Today also reported on how Caller ID spoofing has become easier, saying..

Tim Murphy’s office started getting phone calls from constituents who complained about receiving recorded phone messages that bad-mouthed Murphy. The constituents were especially upset that the messages appeared to come from the congressman’s own office. At least, that’s what Caller ID said.

So if you have used one of these services for whatever reason, the federal government is interested in YOU..

The FCC is demanding business records from both companies, as well as the name of every customer that has used TeleSpoof, the date they used it and the number of phone calls they made.

Dated February 24th, the FCC letter gives TeleSpoof 20 calendar days to respond.

Source: Wired

By using one of the many mobile phone location tracking services aimed at businesses or concerned parents, and some trickery it is possibly to get almost anyone’s mobile phone position without their agreement. All that is required is their mobile phone number, and carrier.

Over the past year a number sites have popped up offering web based mobile phone tracking services. To use their services you purchase a monthly subscription or set number of credits, and enter in the targets phone number. The target then receives an SMS message asking them to confirm they consent to the tracking. After the target replies, the tracker can then request their position online and receive a street address, post code, and map of their location with an accuracy of around 250 meters.

Source: Rootsecure

• Although it is possible to get the location of a phone the target will receive the various SMS confirmation messages, alerting them to the fact they are being tracked.
• Malicious use can be traced back to the tracker via credit card records / the trackers registered phone.

More:

For the past week I’ve been tracking my girlfriend through her mobile phone. I can see exactly where she is, at any time of day or night, within 150 yards, as long as her phone is on. It has been very interesting to find out about her day. Now I’m going to tell you how I did it.

The Guardian

A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called ‘How I stalked my girlfriend’. It painted a scary picture.

The service is run by World-Tracker, a company based on the Isle of Man. When a mobile number is entered onto the World-Tracker website, a text message is sent to that phone, to ask if the person carrying the phone wishes to be tracked.

The Register