Windows Phone hit by SMS vulnerability

Windows Phone hit by SMS vulnerability

Summary: SMS message causes device to reboot and disables access to the messaging hub.

SHARE:

A flaw has been discovered in Microsoft's Windows Phone operating system that allows hackers to carry out a denial-of-service attack on the handset.

The flaw was discovered by Khaled Salameh and reported to Winrumors.

The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts.

The attack has been tested and shown to work on a range of handsets, including HTC’s TITAN and Samsung’s Focus Flash. Operating system version doesn't seem to matter either, as some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720.

The bug attack can also be triggered by a Facebook chat message:

If a user has pinned a friend as a live tile on their device and the friend posts a particular message on Facebook then the live tile will update and causes the device to lock up. Thankfully there’s a workaround for the live tile issue, at initial boot up you have a small amount of time to get past the lock screen and into the home screen to remove the pinned live tile before it flips over and locks the device.

Here's a video of the attack in action:

The flaw has been reported to Microsoft.

Topics: Hardware, Collaboration, Microsoft, Mobility, Operating Systems, Security, Software, Telcos, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

41 comments
Log in or register to join the discussion
  • RE: Windows Phone hit by SMS vulnerability

    Oh well. I dont give my number to hackers or post it on facebook. Still better than Android or ios!
    imsimsj
    • RE: Windows Phone hit by SMS vulnerability

      @imsimsj

      It doesn't matter...if your Facebook account is linked to your phone and the tile updates with the post containing the invalid characters, it'll crash the phone. The issue is with the subsystem responsible for displaying the content on the tiles. It appears that certain strings of text cause an out-of-bounds condition where it can store the message, but is unable to display it. This results in a crash of the tile when attempting to access it.
      iMouse
      • RE: Windows Phone hit by SMS vulnerability

        @iMouse They must have your number to send you a message! Oh smart one. Haha!
        imsimsj
    • RE: Windows Phone hit by SMS vulnerability

      @imsimsj That is a purely subjective statement - I find that iOS is better than Android for some things, Android is better than iOS for some things... One is not necessarily better than the other. Nor can I say for sure if [b]I[/b] find either one better than WP7 for things or if WP7 is better because I have little experience with the platform - as you likely have little experience with iOS or Android.

      In other words troll elsewhere.
      athynz
    • RE: Windows Phone hit by SMS vulnerability

      @imsimsj But I am guessing this would be a huge issue if it was happening to Android phones or the iPhone right? You also have your head in the sand if you don't think hackers can get your phone number. Have you ever heard of phishing scams? Do you think everyone that receives those messages sent an email to the spammer to let them know what their email address is?
      non-biased
  • Why am I not surprised

    Microsoft can't write a single decent piece of code.
    Expect BSOD, viruses and unexpected crashes to be commonplace with these devices.
    Mikael_z
    • RE: Windows Phone hit by SMS vulnerability

      @Mikael_z Now that was a thoroughly asanine statement. Microsoft writes plenty of excellent code. Apple and Linux are not exempt from their own issues and you only don't hear about it as often since they hold next to none of the market.

      Until you can actually sit in an environment with thousands of people ranging from all computer skills and offer me an OS that is able to be used by each and every one of them with the same simplicity, usability, familiarity, support, range of peripherals and overall stability, you can shove that fan-boy garbage right down your throat.

      I absolutely love my Android phone, but WM7 is a fine piece of work and worthy of praise, not fan-boy ignorance.
      beidsvold
      • And you sir ignore history

        @beidsvold
        Microsoft has a mile, at least, long row of unreliable code which has also allowed for a virus plague (hopefully) forever unique in computer history.

        Here in southern Sweden our hospitals got attacked by malware and it was pure luck no one got hurt because the infections reached all the way into vital equipment.

        According to Computer economics is support for that second rate platform extremely expensive, 13 or 14 billion dollars each year globally.

        And you can call this quality with a straight face?
        Mikael_z
      • RE: Windows Phone hit by SMS vulnerability

        @Mikael_Z

        Why on earth would you have vital hospital equipment in a situation where it could be infected in the first place? Were the Windows systems actually patched or was this a zero day exploit?

        It sounds to me more like a failure of your IT staff than of Windows. Trusting your network security, especially a hospital, to just the single OS is incredibly stupid. Security has to be a multi-tiered network. Why weren't IPS systems in place between the user network that has access to the internet and the vital equipment? Poor network design.

        No OS will save you from poorly trained or poorly funded IT departments.
        LiquidLearner
      • How can you say that with a straight face?

        Apple has a mile long row of unreliable code which would also have allowed for a virus plague had they the PC marketshare that is forever unique in computer history instead of the paltry 5% they have now. And when they did have more marketshare (before OS X) Mac OS was a virus plague too.

        And you are surprised that computer support for the #1 platform in the world is expensive? Of course it is expensive. Windows is installed on over a billion computers and on more servers than any other single OS (it takes every Linux distro combined to even match 1 version of Windows). If the cost is $13 billion a year globally that works out to $13 per Windows computer per year. Thanks for proving just how low the TCO is on Windows.
        toddybottom
      • Mikael_z, you sir ignor history

        @beidsvold
        Since you tend to allways ignor similar vulnerabilities that hit iOS and Android .

        Do you have a good explanation for that, or will you just not comment, which is your norm? ;)
        William Farrel
      • RE: Windows Phone hit by SMS vulnerability

        @beidsvold "Until you can actually sit in an environment with thousands of people ranging from all computer skills and offer me an OS that is able to be used by each and every one of them with the same simplicity, usability, familiarity, support, range of peripherals and overall stability...."

        Well, Linux, now, but that still doesn't excuse Mikael_z's flamebat. Also, including "familiarity" in that list is an improper qualification for obvious reasons.
        jgm@...
      • RE: Windows Phone hit by SMS vulnerability

        @beidsvold Well actually... this is the first vulnerability to be shown on a Windows Phone OS in over a year on the market. That's because WP requires .Net, not native apps, and has a screening process for apps on the Marketplace - Unlike the daily occurrence on Android where malware is everywhere and virus scanners are among the top "apps". This isn't 10 years ago - Microsoft actually makes decent stuff today and addresses security problems rather quickly.
        InternetSecurityAnalyst
      • RE: Windows Phone hit by SMS vulnerability

        @Mikael-z [b]Here in southern Sweden our hospitals got attacked by malware and it was pure luck no one got hurt because the infections reached all the way into vital equipment.[/b]

        That sounds like an IT failure on the part of your hospital staff than anything Windows related. Nor is Windows the only OS that is vulnerable to malware as both Linux and Mac OSX have had verified malware issues. Why can't you ABMer frothing at the mouth zealots get your facts straight?
        athynz
      • RE: Windows Phone hit by SMS vulnerability

        @beidsvold

        Agreed, I'm an Apple "fanboy" (have an iPhone, iPad and a Mac) but I really thing that WM7 is a nice addition to the smartphone market.
        gribittmep
      • Please tone down your comments.

        @beidsvold :

        You can say mounds about your hate for Apple and your love for Microsoft but its no secret that this bug is a puerile one.

        To have your phone locked by some invalid characters is not a vulnerability, it's a blatant bug which needs immediate correction.

        As I have always said, Windows Phone 7 is a "flashy" interface stunt [mark my words] using Silverlight for Windows Embedded on top of a crappy OS called Windows Embedded Compact 6.0 R3 (which used to be called Windows CE, but that name was changed because it stacked up right next to Vista on OEMs minds).

        Android and iOS, on the other hand, are built on top of proven technology. iOS has a micro kernel based on Carnegie Mellon's Mach 3, with BSD extensions and a complete DriverKit. Android is pure Linux with real-time modifications and a new filesystem.

        Although most people celebrate Jobs for it's intuitive UIs and heavy marketing style, you should also now that NeXT was built by a top brass of experts and iOS is just the great grand son of all this efforts, ported to a very stable ARM Cortex A8/A9.
        cosuna
    • RE: Windows Phone hit by SMS vulnerability

      @Mikael_z

      The very nature of your comment proves only one thing: you have absolutely no clue about what you're talking about.
      Please, educate yourself and then, consider posting something worthy.
      TheCyberKnight
    • RE: Windows Phone hit by SMS vulnerability

      @Mikael_z
      http://www.electronista.com/articles/11/11/07/researcher.claims.to.have.spotted.serious.flaw/

      Apple can't write a single decent piece of code.
      Expect BSOD, viruses and unexpected crashes to be commonplace with these devices.
      toddybottom
      • LOL! He'll remain quite on that.

        @toddybottom
        Oddf we never hear from him when it's an Android/Linux or iOS/OS X problem.

        I wonder why? ;)
        William Farrel
      • RE: Windows Phone hit by SMS vulnerability

        @toddybottom <br>@William Farrel<br>There is a flaw in the Windows Phone, trying to change the topic is not working.<br><br>The flaw has zero to do with any other company but Microsoft, deal with it.

        Has Microsoft issued a fix or work around yet.
        daikon