'Curse of silence' flaw hits smartphones

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

A denial-of-service attack that limits the number of SMS messages that can be received by Nokia smartphones has been disclosed and demonstrated.

Dubbed the 'Curse of Silence' by German security researcher Tobias Engel, the attack occurs when Nokia Series 60 phones are sent a malformed email message via SMS. Engel demonstrated the attack last week at the Chaos Communication Congress in Berlin, according to a blog post by security vendor F-Secure.

An advisory made public by Engel gave details of the attack. After receiving a message from a sender with an email address of greater than 32 characters, Nokia S60 2.6, 2.8, 3.0 and 3.1 devices are not able to receive any more SMS or MMS messages. S60 2.6 and 3.0 devices lock up after one message, while 2.8 and 3.1 devices seize up after 11 messages.

Affected users must perform a factory reset of the handset to remedy the issue. No firmware fix was available at the time of writing. A Nokia spokesperson said last week the company was "aware of" the vulnerability, but believed it did not pose a significant risk.

"Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers' devices," said the spokesperson.

"Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the vulnerability." Products running S60 third edition, feature pack 2, were unaffected, said the spokesperson, who added that the issue could be prevented by network filtering.

"According to our knowledge, many operators are looking into and actually already implementing network filtering to prevent the issue," said the spokesperson.

F-Secure said that Sony Ericsson UIQ devices may also be vulnerable to this type of attack. The security vendor said the vulnerability will "most likely be used by jealous boyfriends", but that support personnel "should know what to look for" in case of harassment of staff.

F-Secure added that, due to Engel's reasonable disclosure, the company had managed to test the flaw and add protection to its Mobile Security product. Engel informed Nokia and several telecommunications operators about the issue in November.