How to Hack Nokia Phones
How to Hack Nokia Phones – Using SMS
Yep, One can hack Nokia phones by just sending a SMS,seems devilish isn't it? Although this vulnerability was found more than an year ago, I recently tried it and found it working in many sets. The vulnerability dubbed as “Curse of Silence” affects all Nokia Symbian 60/Series 60 devices and allows for remote SMS/MMS Denial of Service.One can send a specially crafted sms to lockup/crash any Series 60 device.
What is Required ?
Although the vulnerability is spread across many versions of S60 platform,the Risk level is quite high for (for S60 2.6 and 3.0 devices)as upon attack,the target will not be able to receive any SMS or MMS messages until the device is Factory Resetted and Medium for S60 2.8 and 3.1 devices as upon Ddos attack,the target will not be able to receive any SMS or MMS messages while the attack is ongoing. After that, only very limited message receiving is possible until the device is Factory Resetted.
The Attack
One can send an email using an sms by setting the messages Protocol Identifier to "Internet Electronic Mail" and formatting the message like this:
Devices running S60 2.6 or 3.0 will not be able to receive any other SMS message after that. The user interface does not give any indication of this situation. The only action to remedy this situation seems to be a Factory Reset of the device (by entering "*#7370#" ) or using a Vulcan Death Grip.
Devices running S60 2.8 or 3.1 react a little different: They do not lock up until they received at least 11 SMS-email messages with an email address that is longer than 32 characters after that the device will not be able to receive any other SMS message and the phone will just display a warning that there is not enough memory to receive further messages and that data should be deleted first. This message is even displayed on an otherwise completely "empty" device.
After switching the phone off and on again, it has limited capability for receiving SMS messages again: If it receives a SMS message that is split up into several parts it is only able to receive the first part and will display the "not enough memory" warning again. After powercycling the device again, it can then receive the second part. If there is a third part, it has to be powercycled again, and so on.
Also, an attacker now just needs to send one more "Curse Of Silence" message to lock the phone up again. By always sending yet another one as soon as the status report for delivery of the previous message is received, the attacker could completely prevent a target from receiving any other SMS/MMS messages.
Only Factory Resetting the device will restore its full message receiving capabilities. Note that, if a backup is made using Nokia PC-Suite *after* being attacked, the blocking messages are also backuped and will be sent to the device again when restoring the backup after the Factory Reset.
Detailed List of affected phones
Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable component is a S60 base functionality, it seems safe to assume that all devices with these OS versions are affected. I short if you own one of these,you are rounded unless u have a firmware upgrade/fix release by Nokia which fixes this attack.
S60 3rd Edition, Feature Pack 1 (S60 3.1)
Credits
Tobias Engel – The Original Vulnerability Founder
Tested and implemented on Airtel carrier using Nokia 3120 classic and N70/N73/E51 by XERO
What is Required ?
- MSISDN of the target.
- A Mobile phone service provider which allows sending of SMS messages (Airtel in my case)
- (Almost) any Nokia phone (or some other means of sending SMS messages with TP-PID set to "Internet Electronic Mail" )
Although the vulnerability is spread across many versions of S60 platform,the Risk level is quite high for (for S60 2.6 and 3.0 devices)as upon attack,the target will not be able to receive any SMS or MMS messages until the device is Factory Resetted and Medium for S60 2.8 and 3.1 devices as upon Ddos attack,the target will not be able to receive any SMS or MMS messages while the attack is ongoing. After that, only very limited message receiving is possible until the device is Factory Resetted.
The Attack
One can send an email using an sms by setting the messages Protocol Identifier to "Internet Electronic Mail" and formatting the message like this:
<email-address><space><message body>If such messages contain an <email-address> with more than 32 characters, S60 2.6, 2.8, 3.0 and 3.1 devices fail to display the message or give any indication on the user interface that such a message has been received. They do,however, signal to the SMS Career that they have received the message.
The simplest attack will be -
123456789@123456789.1234567890123
Devices running S60 2.6 or 3.0 will not be able to receive any other SMS message after that. The user interface does not give any indication of this situation. The only action to remedy this situation seems to be a Factory Reset of the device (by entering "*#7370#" ) or using a Vulcan Death Grip.
Devices running S60 2.8 or 3.1 react a little different: They do not lock up until they received at least 11 SMS-email messages with an email address that is longer than 32 characters after that the device will not be able to receive any other SMS message and the phone will just display a warning that there is not enough memory to receive further messages and that data should be deleted first. This message is even displayed on an otherwise completely "empty" device.
After switching the phone off and on again, it has limited capability for receiving SMS messages again: If it receives a SMS message that is split up into several parts it is only able to receive the first part and will display the "not enough memory" warning again. After powercycling the device again, it can then receive the second part. If there is a third part, it has to be powercycled again, and so on.
Also, an attacker now just needs to send one more "Curse Of Silence" message to lock the phone up again. By always sending yet another one as soon as the status report for delivery of the previous message is received, the attacker could completely prevent a target from receiving any other SMS/MMS messages.
Only Factory Resetting the device will restore its full message receiving capabilities. Note that, if a backup is made using Nokia PC-Suite *after* being attacked, the blocking messages are also backuped and will be sent to the device again when restoring the backup after the Factory Reset.
Detailed List of affected phones
Tested on several S60 2.6, 3.0 and 3.1 devices. Since the vulnerable component is a S60 base functionality, it seems safe to assume that all devices with these OS versions are affected. I short if you own one of these,you are rounded unless u have a firmware upgrade/fix release by Nokia which fixes this attack.
S60 3rd Edition, Feature Pack 1 (S60 3.1)
- Nokia E90 Communicator
- Nokia E71
- Nokia E66
- Nokia E51
- Nokia N95 8GB
- Nokia N95
- Nokia N82
- Nokia N81 8GB
- Nokia N81
- Nokia N76
- Nokia 6290
- Nokia 6124 classic
- Nokia 6121 classic
- Nokia 6120 classic
- Nokia 6110 Navigator
- Nokia 5700 Xpress Music
- Nokia E70
- Nokia E65
- Nokia E62
- Nokia E61i
- Nokia E61
- Nokia E60
- Nokia E50
- Nokia N93i
- Nokia N93
- Nokia N92
- Nokia N91 8GB
- Nokia N91
- Nokia N80
- Nokia N77
- Nokia N73
- Nokia N71
- Nokia 5500
- Nokia 3250
- Nokia N90
- Nokia N72
- Nokia N70
- Nokia 6682
- Nokia 6681
- Nokia 6680
- Nokia 6630
Credits
Tobias Engel – The Original Vulnerability Founder
Tested and implemented on Airtel carrier using Nokia 3120 classic and N70/N73/E51 by XERO
0 comments:
Post a Comment