{"id":3240,"date":"2011-12-20T18:51:45","date_gmt":"2011-12-20T18:51:45","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3240"},"modified":"2015-09-09T19:37:02","modified_gmt":"2015-09-09T11:37:02","slug":"cybercrooks-may-be-able-to-force-mobile-phones-to-send-premium-rate-sms-messages","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/12\/cybercrooks-may-be-able-to-force-mobile-phones-to-send-premium-rate-sms-messages\/","title":{"rendered":"Cybercrooks May Be Able To Force Mobile Phones To Send Premium-Rate SMS Messages"},"content":{"rendered":"

There have been a few stories about this in the past, I recall China Facing Problems With Android Handsets & Pre-installed Trojans<\/a> that were draining people’s batteries and phone credit by sending messages to premium-rate numbers.<\/p>\n

The latest news is of a more technical nature, but it outlines ways in which cybercrooks may well be able to send out premium-rate SMS messages without the handset owner knowing due to weaknesses in the actual standard.<\/p>\n

Cybercrooks may be able to force mobiles to send premium-rate SMS messages or prevent them from receiving messages due to security weaknesses in mobile telecoms standards.<\/p>\n

The weakness involves the handling of messages directed towards SIM Application Toolkits, applications preloaded onto SIM cards by mobile operators. The applications can be used for functions such as displaying available credit or checking voicemail, as well as handling value-added services, such as micro-payments.<\/p>\n

SIM Toolkits receive commands via specially formatted and digitally signed SMS messages. These messages are processed without appearing in a user’s inbox and without triggering any other form of alert. Some mobiles may wake from a sleeping state on receipt of such messages but that is about all that’s likely to happen.<\/p>\n

The encryption scheme deployed is robust but problems might arise because error messages are automatically sent out if a command cannot be executed. The SIM Toolkit service message can be configured so that responses are made via SMS to a sender’s number or to the operator’s message centre. This creates two possible attack scenarios.<\/p><\/blockquote>\n

It seems to be a theoretical attack right now, but seen as though it’s a flaw with the way the standard works (and it’s implemented this way on literally millions of phones) it could become a major issue.<\/p>\n

I would imagine it’s something vendors can fix on future handsets they sell, or on previous handsets via a firmware update – but that wouldn’t cover everyone.<\/p>\n

In all likelihood however, I see the most likely ath would be it stats as a purely theoretical attack.<\/p>\n