Security researcher Bogdan Alecu discovered a vulnerability that exposes Nexus devices to denial-of-service attacks based on a special type of SMS. Bogdan Alecu is a system administrator at Dutch IT services company Levi9, and affects all Android 4.x firmware versions on Google Galaxy Nexus, Nexus 4 and Nexus 5. Alecu is presenting the vulnerability Friday at the DefCamp security conference in Bucharest, Romania.
Google's latest Nexus smartphones are vulnerable to an attack in which someone could force the phones to reboot or lose their network connection by sending them a large number of a certain kind of SMS message,according to PC World.
SMS or Flash SMS is a type of message defined in the GSM specification that gets displayed directly on the phone's screen and doesn't automatically get stored on the device. After reading such a message, users have the option to save it or dismiss it.
Alecu discovered that when a large number of Flash SMS messages -- about 30, he reported -- are received and are not dismissed, Nexus devices react in strange ways. One of the three was has only a temporary effect:
The most common behavior is that the phone reboots, he said. In this case, if a PIN is required to unlock the SIM card, the phone will not connect to the network after the reboot and the user might not notice the problem for hours, until they look at the phone. During this time the phone won't be able to receive calls, messages or other types of notifications that require a mobile network connection.
According to Alecu, a different behavior that happens on rare occasions is that the phone doesn't reboot, but temporarily loses connection to the mobile network. The connection is automatically restored and the phone can receive and make calls, but can no longer access the Internet over the mobile network. The only method to restore the data connection is to restart the phone, Alecu said.
On other rare occasions, only the messaging app crashes, but the system automatically restarts it, so there is no long term impact.
Alecu said he reported the issue to Google, but until July he mostly received automated responses. In July, someone from the Android Security Team told him the issue would be fixed in Android 4.3, but it wasn't, Alecu said.
This, Alecu said, contributed to his decision to disclose the problem publicly. A Google representative said via email:
"We thank him for bringing the possible issue to our attention and we are investigating."
It is unclear if the issue affects only stock Android builds, or if it will fail similarly on builds with Sense UI (HTC), TouchWiz (Samsung), or any other OEM customized build.
Google's latest Nexus smartphones are vulnerable to an attack in which someone could force the phones to reboot or lose their network connection by sending them a large number of a certain kind of SMS message,according to PC World.
SMS or Flash SMS is a type of message defined in the GSM specification that gets displayed directly on the phone's screen and doesn't automatically get stored on the device. After reading such a message, users have the option to save it or dismiss it.
Alecu discovered that when a large number of Flash SMS messages -- about 30, he reported -- are received and are not dismissed, Nexus devices react in strange ways. One of the three was has only a temporary effect:
The most common behavior is that the phone reboots, he said. In this case, if a PIN is required to unlock the SIM card, the phone will not connect to the network after the reboot and the user might not notice the problem for hours, until they look at the phone. During this time the phone won't be able to receive calls, messages or other types of notifications that require a mobile network connection.
According to Alecu, a different behavior that happens on rare occasions is that the phone doesn't reboot, but temporarily loses connection to the mobile network. The connection is automatically restored and the phone can receive and make calls, but can no longer access the Internet over the mobile network. The only method to restore the data connection is to restart the phone, Alecu said.
On other rare occasions, only the messaging app crashes, but the system automatically restarts it, so there is no long term impact.
Alecu said he reported the issue to Google, but until July he mostly received automated responses. In July, someone from the Android Security Team told him the issue would be fixed in Android 4.3, but it wasn't, Alecu said.
This, Alecu said, contributed to his decision to disclose the problem publicly. A Google representative said via email:
"We thank him for bringing the possible issue to our attention and we are investigating."
It is unclear if the issue affects only stock Android builds, or if it will fail similarly on builds with Sense UI (HTC), TouchWiz (Samsung), or any other OEM customized build.
Hello Dear User,
ReplyDeleteSpecial Offer : Join now for free and be a part of this fast growing online social community. FUNBOOK Enjoy the new features at one place.
Click Here to Join
or
feel free to contact us HERE
Your precious feedback is highly appreciated. It is free and always will be