Administrator
ID Verified
Trusted
Geekzone
#
Just fresh out of my RSS Reader, F-Secure warns of Curse of Silence:
The vulnerability is very simple to exploit via an SMS message. No special software is required and the message can be drafted from a large number of phones. The message just needs to be formatted in a particular way. (We will not provide exact details here.)
What happens when a vulnerable phone receives the exploit message?
Example 1 — on the older 6680 nothing happens. Nothing at all… The first exploit message is enough to crash the SMS messaging service. It is a completely silent attack and there are no hints of trouble presented to the victim. The phone will simply stop receiving SMS (as well as MMS) messages.
Example 2 — on the newer N95, nothing will happen until several messages have been sent by the attacker. Then, once the critical limit has been reached, the phone will prompt an alert: "Not enough memory to receive message(s). Delete some data first."
The attack messages will not be visible from the Inbox, and deleting previously received messages will not resolve the problem.There will also be one additional notification on the N95. A blinking envelope, indicating that the Inbox is full, appears in the upper right-hand corner of the display.
Turning the N95 off and on again may return some limited functionality, but that functionality is very fragile. One multi-part message was enough to completely disable our test phone's SMS/MMS service, at which point even cycling the power did not help.
A firmware fix is not yet available. Performing a hard-reset is the only manual solution. And backing up the phone also backs up the exploit messages and the damaged messaging service.
