Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages


There have been a few stories about this in the past, I recall China Facing Problems With Android Handsets & Pre-installed Trojans that were draining people’s batteries and phone credit by sending messages to premium-rate numbers.

The latest news is of a more technical nature, but it outlines ways in which cybercrooks may well be able to send out premium-rate SMS messages without the handset owner knowing due to weaknesses in the actual standard.

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.

It seems to be a theoretical attack right now, but seen as though it’s a flaw with the way the standard works (and it’s implemented this way on literally millions of phones) it could become a major issue.

I would imagine it’s something vendors can fix on future handsets they sell, or on previous handsets via a firmware update – but that wouldn’t cover everyone.

In all likelihood however, I see the most likely ath would be it stats as a purely theoretical attack.


In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator’s message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option “Confirm SIM Service Actions” is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports

The SIM DoS attack is fairly interesting as it could prevent a user from receiving legitimate SMS responses almost indefinitely. There are various ways to mitigate against the attack and it seems like Nokia has the most secure handset as of now – even though the option to prevent these attacks is turned off by default – at least they have the option.

The other way is to get the service providers to filter out the messages and use a whitelist for legitimate SIM Toolkit messages – I don’t think that’s very likely though.

Source: The Register

Posted in: Spammers & Scammers, Telecomms Hacking


Latest Posts:


Axiom - Pen-Testing Server For Collecting Bug Bounties Axiom – Pen-Testing Server For Collecting Bug Bounties
Project Axiom is a set of utilities for managing a small dynamic infrastructure setup for bug bounty, basically a pen-testing server out of the box with 1-line.
Quasar RAT - Windows Remote Administration Tool Quasar RAT – Windows Remote Administration Tool
Quasar is a fast and light-weight Windows remote administration tool coded in C#. Used for user support through day-to-day administrative work to monitoring.
Pingcastle - Active Directory Security Assessment Tool Pingcastle – Active Directory Security Assessment Tool
PingCastle is a Active Directory Security Assessment Tool designed to quickly assess the Active Directory security level based on a risk and maturity framework.
Second Order - Subdomain Takeover Scanner Tool Second Order – Subdomain Takeover Scanner Tool
Second Order Subdomain Takeover Scanner Tool scans web apps for second-order subdomain takeover by crawling the application and collecting URLs (and other data)
Binwalk - Firmware Security Analysis & Extraction Tool Binwalk – Firmware Security Analysis & Extraction Tool
Binwalk is a fast and easy to use Python-based firmware security analysis tool that allows for firmware analysis, reverse engineering & extracting of firmware.
zBang - Privileged Account Threat Detection Tool zBang – Privileged Account Threat Detection Tool
zBang is a risk assessment tool for Privileged Account Threat Detection on a scanned network, organizations & red teams can use it to identify attack vectors


2 Responses to Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages

  1. Bogdan December 21, 2011 at 12:44 pm #

    Thank you for your interest in the news. However, it’s not just a theoretical attack. I’ve demonstrated that the attack works on most of the SIM cards and it also charges you for sending the message to the premium rate number.
    Indeed, the best protection would come from the carriers, but as you said, I doubt that they will do such thing.

    • Darknet December 22, 2011 at 5:26 pm #

      Hey Bogdan, I think you misunderstood what I was trying to say. I wasn’t saying it doesn’t work in real life (as with your demonstration) for me when I say theoretical it means it’ll stay amongst the research community and it’s unlikely we’ll see it ‘in the wild’ – e.g. executed by people other than you.