The SMS system has been used as a universal entry point into mobile phones. SMS messages can not only bring you the latest news from your kids or friends, they can also be used to trigger mobile applications, or even to modify the configuration of your phone.
Trust Digital is a company that specializes in mobile security, and they have in particular published a fear-inducing set of videos that shows the terrible dangers associated to the use of SMS messages on smartphones. Interestingly, bot attacks shown involve the SIM card, even the one that is based on mobile malware.
I am not an expert about mobile threats, but like often about mobile threats, the level of threat looks a bit overstated.
There are several things in their videos that don’t look very good:
- A SMS can surely fire a Web browser, even with a URL that points to a piece of malware. Maybe that the browser will start without notifying the user, but it is likely that there is an option to have a confirmation. But then, we get in the area of mobile malware, which is usually not as terrible as one may think. The phone they use looks like a Windows-based phone, and once again, I am convinced that these phones have warnings against launching native applications coming from the Web.
- Then, they send a SMS that modified the configuration of the phone to stop encryption. This SMS is a control message, and it looks to me that mandating proper encryption for such messages would be a good idea. Transport security exists in the GSM/3G framework; if it is not used today, it will be tomorrow, and this threat won’t last very long.
- Finally, they assume that the hot spot accepts unencrypted communication. Once again, everybody knows that hot spots shouldn’t do that, because it may induce security problems for their users, and potential legal issues for themselves if something illegal happens on that unencrypted communication link.
Overall, this sounds a lot like security hype. Don’t get me wrong, I am not saying that there is no security issues related to the use of SMS messages on smartphones, but only the following:
- First, SMS is just another way to exploit existing weaknesses. If you turn off all warnings on your phone, expect trouble to happen, through SMS or anything else. Similarly, as an operator, if you allow any stupid behavior from your users, you are not doing your job of protecting them from the bad guys out there.
- Then, SMS is just a way to trigger/help some other kind of attack. And in this category, I still prefer the Trojan Horse attack model, in which you insert the attack code in a seemingly innocuous program, and then trigger it when needed with a SMS or anything else.
In the end, these videos show nice attacks, but they still don’t convince me yet of the necessity of installing specific security software on a phone. As far as I know, the most dangerous bad guy on a mobile phone is still likely to be the phone’s user, but that’s another story.
I guess the biggest threat here is the fact that our mobiles can be addressed by the phone number, specially over the SMS channel.
This is a different reality when we think about PCs where it is much harder to find the IP or MAC of a specific target. The phone numbers identify ourselves and an address to reach or mobile phones that may be vulnerable. It is actually an interesting aspect to pay attention security-wise.
But as you mention, the fail point is on the application or in the system (to let a malicious code be downloaded without confirmation) of the mobile phone.
At last, the telecom network is a more surveilled one, more controlled. It is probably possible, but I’ve never heard of a malicious SMS Dos attack or similar.