Here's an odd one for you. Tobias Engel of the Chaos Communication Congress has discovered a rather nasty exploit that'll cause any Nokia S60 devices running versions 2.6, 2.8, 3.0 or 3.1 to stop receiving SMS and MMS messages. The "Curse of Silence," which has been independently verified by F-Secure, is triggered by sending an SMS that begins with an email address that's at least 32 characters long. The attacker must also change the protocol identifier to internet electronic mail before sending. Devices with versions 2.8 and 3.1 lock up after 11 such messages and still have some limited receiving capabilities, while 2.6 and 3.0 devices will go completely mum after just one attack. In both cases a factory reset is required to fix it, and he says there is no other known workaround for the user. We don't imagine this being a pervasive issue, but if you've got any tech-savvy enemies or malevolent pranksters in your life, you've been warned. Video demonstration is after the break, or hit up the read link to see if your device is among those listed at risk.
Thats funny because Winmo does it on its own. It doesnt even need an exploit to happen. The OS itself will curse you. I am pretty sure many people can vouch for that. Sometimes a hard reset will fix it though.
So you've read the technical documentation and proved that the Nokia software actually DOESN'T reserve too big a memory stack for outgoing email addresses and gets overflowed by feeding it one byte too many? So you've also taken that to one of the largest security/hacking congresses in Europe and showed a demo of the thing in action? I reckon after you've done all that you must have gone straight home to try that on your devices yeah? And you also issued statements to Nokia and the cellphone providers about this so they could block the faulty SMS-as-Email subset and revert SMSs to default transmission? Of course you knew all that since you're the reason virus vendors now list that "bullshit" as actual flaws and security holes.
Dosen't look like a too bad problem. If you happened to get it anybody can do the hardreset, but hopefully it's fixed soon. I mean there's over 400 million Symbian phones out there.
Btw good job with giving the keys to the "enemies" Engadget :D
Well, this is a good excuse for Nokia to push out a new N95-1 (and everybody else) software update, cause the last one that they released, SUCKED!!!!!!!!!!!11 (and still does) they better fix the browser (it doesn't format pages properly for mobile sites).
Tested it on an N95-8GB. Got the out of memory error after the 11th message, sent a test message and it didnt come through, got out of memory again. Switched the phone off and on again and its back to normal, no hard reset required.
So at least on s60 3.1 you get a visual indication that your phone has been attacked (memory message) and a quick reboot fixes the problem.
Would just deleting the mail folder (C:\Private\1000484b\Mail2\ for those with hacked phones) solve the issue? If you could please test it, I'd do it but since you already started :P
When I first started reading I thought it was a useful hack for those poor people who have to pay whenever they receive an SMS, so they can turn it off and save money or something.
"According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well."
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
posted Dec 31st 2008 9:39AM
Thank god i have Windows Mobile....i thought id never hear myself say that.
Why did you say that? IMO, WinMo devices need more hard/soft resets in a month than Nokia S60 phones will ever need in a year.
Ive never had to soft reset my Touch Cruise....but i can remember the days when i had a Wizard with WinMo 5 *shudders* every 5 minutes...
Strange Engadget are announcing this to its audience of "tech-savvy" readers...just the people who are likely to take advantage of this.
@ Adderz
That's weird... I read "Touch Cruise" as "Tom Cruise" at first.
This video seems a little over the edge... why would i compile an email address that long?
Thats funny because Winmo does it on its own. It doesnt even need an exploit to happen. The OS itself will curse you. I am pretty sure many people can vouch for that. Sometimes a hard reset will fix it though.
First Zune now Nokia S60...
The world is coming to an end!
just kiddin
it is.. but I thought it wasnt supposed to happen till 2012.. hmm
are teachers sending those out to their students in class so they will finally pay some attention?
Mum, I need a new phone, ASAP. :)
I am the only one in class with an S60 phone x)
Bonus points if the exploit message is then followed by a phone call with only a raspy voice saying "seven days...".
Lame.
Bullshit
You tested it and it didn't work?
My P990i refuses to receive SMS messages until I restart it. It's not a S60 device though. Hopefully it's completely different.
So you've read the technical documentation and proved that the Nokia software actually DOESN'T reserve too big a memory stack for outgoing email addresses and gets overflowed by feeding it one byte too many? So you've also taken that to one of the largest security/hacking congresses in Europe and showed a demo of the thing in action? I reckon after you've done all that you must have gone straight home to try that on your devices yeah? And you also issued statements to Nokia and the cellphone providers about this so they could block the faulty SMS-as-Email subset and revert SMSs to default transmission? Of course you knew all that since you're the reason virus vendors now list that "bullshit" as actual flaws and security holes.
Congrats, you know nothing.
@meist3r:
Congrats, you know too much.
Dosen't look like a too bad problem. If you happened to get it anybody can do the hardreset, but hopefully it's fixed soon. I mean there's over 400 million Symbian phones out there.
Btw good job with giving the keys to the "enemies" Engadget :D
How will you know you don't receive messages if you simply think nobody sends them to you?
@Shinigami
Exactly. It would probably take days for someone to realize that something's wrong. This can be bad, just not national security bad.
F-Secure must be the happiest people in town. They've finally found something to fix with their lame "virus" scanner:
http://www.f-secure.com/v-descs/exploit_symbos_smscurse_a.shtml
SHIT!!!!!!!!!!!!!
Well, this is a good excuse for Nokia to push out a new N95-1 (and everybody else) software update, cause the last one that they released, SUCKED!!!!!!!!!!!11 (and still does) they better fix the browser (it doesn't format pages properly for mobile sites).
I wouldn't count on it. I just hope none of me or my phone's enemies. know about this.
*checking through threat list*
Good thing I don't have geeky friends, I'd be screwed.
I just wish I had some friends with S60...
Tested it on an N95-8GB. Got the out of memory error after the 11th message, sent a test message and it didnt come through, got out of memory again. Switched the phone off and on again and its back to normal, no hard reset required.
So at least on s60 3.1 you get a visual indication that your phone has been attacked (memory message) and a quick reboot fixes the problem.
Damn hadnt read the Vulnerability Advisory link until now. Messages longer than 160 characters do cause the memory error again. Time for a hard reset.
Would just deleting the mail folder (C:\Private\1000484b\Mail2\ for those with hacked phones) solve the issue? If you could please test it, I'd do it but since you already started :P
When I first started reading I thought it was a useful hack for those poor people who have to pay whenever they receive an SMS, so they can turn it off and save money or something.
UIQ>S60
But they killed it.
"According to Engel's research, the exploit affects the messaging components of Nokia Series 60 phone versions 2.6, 2.8, 3.0, and 3.1. Our own tests determined that Sony Ericsson UiQ devices are vulnerable as well."
Yes... reading is fundamental
Well thank you Engadget, you just bricked thousands of Symbian-phones.
God damn.
So it's better NOT to know what's coming? That's just stupid and completely naive.
http://forum.whatmobile.net/showthread.php?t=36354