U r pwned: text messaging as a hacking tool

Those messages contain the necessary commands for the attack and would get executed automatically by exploiting a weakness in the way the iPhone’s memory responds to that volume of traffic.

Miller said messaging attacks are so attractive, and are going to become more common, because the underlying technology is a core phone feature that can’t be turned off. “It’s such a powerful attack vector,” Miller said. “All I need to know is your phone number. As long as their phone’s on, I can send this and their phone’s going to do something with this. … It’s always on, it’s always there, the user doesn’t have to do anything - it’s the perfect attack vector.”

Miller and Mulliner also found problems in phones running Android (that problem has been fixed) and Windows Mobile (they say that problem has not been fixed yet).

Apple said it could not immediately comment. Microsoft said it is investigating the matter. Google confirmed that its vulnerability was fixed.

BusinessWeek reports that sometimes the culprit is not a software flaw but the way the phones were configured at the factory to handle messaging traffic. Hackers can break in if the phones are too permissive in what types of traffic they accept.

John Hering and Kevin Mahaffey, co-founders of Flexilis Inc., and Anthony Lineberry, a senior software engineer with the Los Angeles-based mobile security firm, made browser screens pop up and direct victims to any page of their choosing by sending specially crafted messages to phones made by Taiwan-based HTC Corp. and sold under major carriers’ brand names.

The user never sees a text message pop up; the mobile Web browser suddenly springs to life and navigates to a page the user didn’t ask for.

The researchers said spammers have latched onto this type of attack in Europe and Asia. They said the problem they found was not in the Windows Mobile software on the devices, but rather in the way the manufacturer configured software settings on some phones, allowing anyone to send certain messaging commands to them.

The carriers play a critical role in stopping these types of attacks. Because they have a stranglehold on what comes in and out of their networks, they can stop malicious traffic from ever hitting a user’s cell phone by filtering out types of traffic that attackers shouldn’t be able to send. Hackers are able to game the system when they are allowed to push commands that only the carrier should be allowed to send. This was the theme of a talk by Zane Lackey, senior security consultant with San Francisco-based iSEC Partners Inc., and Luis Miras, an independent security researcher.

They showed how they can trick a cell phone into pulling in content from a computer under their control. The content never passes through the cellular carrier’s security gauntlet as it’s supposed to.

The hack works because Lackey and Miras figured out how to attach a “notification” alert — something they said only the carrier should be allowed to send — to administrative messages they sent through an unidentified carrier’s network.

The alert tells victims they have a message, such as one instructing them to update settings. To the recipient’s phone, it looks the same as a notice sent by the carrier. If the user chooses to update the device, the phone then reaches out for the content — on computers under a hacker’s control. “The way carriers built their networks, there were a lot of security assumptions based on the idea that only the carrier would be able to send certain messages,” Lackey said. “Those assumptions are invalid.”

The flip side to the dangers the researchers have uncovered in mobile devices is that they are often able to write programs to help companies and individual users look for vulnerabilities in their devices. That could protect against future attacks.