Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages

Use Netsparker


There have been a few stories about this in the past, I recall China Facing Problems With Android Handsets & Pre-installed Trojans that were draining people’s batteries and phone credit by sending messages to premium-rate numbers.

The latest news is of a more technical nature, but it outlines ways in which cybercrooks may well be able to send out premium-rate SMS messages without the handset owner knowing due to weaknesses in the actual standard.

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.

It seems to be a theoretical attack right now, but seen as though it’s a flaw with the way the standard works (and it’s implemented this way on literally millions of phones) it could become a major issue.

I would imagine it’s something vendors can fix on future handsets they sell, or on previous handsets via a firmware update – but that wouldn’t cover everyone.

In all likelihood however, I see the most likely ath would be it stats as a purely theoretical attack.


In the first case, an attacker might use an SMS spoofing service to force the dispatch of an error message to a premium-rate number, potentially ringing up fraudulent charges against the account of a targeted phone owner in the process.

Attackers can’t control the content of the automatic error responses, a potential stumbling block when it comes to signing up people up for these services simply because they’ve sent a message, but it’s easy to imagine this tactic will be effective enough times to make it potentially workable. A premium-rate number is restricted to signing up people to its services only in response to properly formatted requests rather than an any old message.

In the second case, an SIM Toolkit error message is sent to the operator’s message centre, and this is interpreted as a message delivery failure. Operators usually attempt to resend the undelivered message: creating an error loop that prevents the delivery of legitimate SMS messages to a user’s handset until a bogus SIM Toolkit message times out, typically after 24 hours or so. Because of this, sending a series of bogus SIM Toolkit messages creates a means of running an SMS DoS attack.

Independent security researcher Bogdan Alecu gave a presentation explaining the security shortcoming, and demonstrating how it might be exploited, at a recent DeepSec security conference in Vienna, Austria.

Alecu tested the attack against phones from Samsung, Nokia, HTC, RIM and Apple. Only phones from Nokia have the option to ask users before confirming the dispatch of an SIM Toolkit response. However the the option “Confirm SIM Service Actions” is usually disabled by default. Operators could mitigate the attack by filtering SIM Toolkit messages and whitelisting numbers that are allowed to send them. However Alecu said he is yet to encounter an operator that applies such controls, even after testing the attack on mobile operators in Romania, Bulgaria, Austria, Germany and France, IDG reports

The SIM DoS attack is fairly interesting as it could prevent a user from receiving legitimate SMS responses almost indefinitely. There are various ways to mitigate against the attack and it seems like Nokia has the most secure handset as of now – even though the option to prevent these attacks is turned off by default – at least they have the option.

The other way is to get the service providers to filter out the messages and use a whitelist for legitimate SIM Toolkit messages – I don’t think that’s very likely though.

Source: The Register

Posted in: Spammers & Scammers, Telecomms Hacking


Latest Posts:


Gerix WiFi Cracker - Wireless 802.11 Hacking Tool With GUI Gerix WiFi Cracker – Wireless 802.11 Hacking Tool With GUI
Gerix WiFi cracker is an easy to use Wireless 802.11 Hacking Tool with a GUI, it was originally made to run on BackTrack and this version has been updated for Kali (2018.1).
Malcom - Malware Communication Analyzer Malcom – Malware Communication Analyzer
Malcom is a Malware Communication Analyzer designed to analyze a system's network communication using graphical representations of network traffic.
WepAttack - WLAN 802.11 WEP Key Hacking Tool WepAttack – WLAN 802.11 WEP Key Hacking Tool
WepAttack is a WLAN open source Linux WEP key hacking tool for breaking 802.11 WEP keys using a wordlist based dictionary attack.
Eraser - Windows Secure Erase Hard Drive Wiper Eraser – Windows Secure Erase Hard Drive Wiper
Eraser is a hard drive wiper for Windows which allows you to run a secure erase and completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.
Insecure software versions are a problem Web Security Stats Show XSS & Outdated Software Are Major Problems
Netsparker just published some anonymized Web Security Stats about the security vulnerabilities their online solution identified on their users’ web applications and web services during the last 3 years.
CTFR - Abuse Certificate Transparency Logs For HTTPS Subdomains CTFR – Abuse Certificate Transparency Logs For HTTPS Subdomains
CTFR is a Python-based tool to Abuse Certificate Transparency Logs to get subdomains from a HTTPS website in a few seconds.


2 Responses to Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages

  1. Bogdan December 21, 2011 at 12:44 pm #

    Thank you for your interest in the news. However, it’s not just a theoretical attack. I’ve demonstrated that the attack works on most of the SIM cards and it also charges you for sending the message to the premium rate number.
    Indeed, the best protection would come from the carriers, but as you said, I doubt that they will do such thing.

    • Darknet December 22, 2011 at 5:26 pm #

      Hey Bogdan, I think you misunderstood what I was trying to say. I wasn’t saying it doesn’t work in real life (as with your demonstration) for me when I say theoretical it means it’ll stay amongst the research community and it’s unlikely we’ll see it ‘in the wild’ – e.g. executed by people other than you.