A vulnerability in the software used by Nokia's 6210
model mobile phone could make those phones vulnerable to a denial
of service (DoS) attack, similar to the types of attacks that are
commonly launched against computer networks.
The vulnerability exists in code that handles the processing of
vCards, virtual business cards that can be transmitted from one
mobile phone user to another using the popular Short Message
Service (SMS), according to the advisory posted by security company
@stake.
Nokia said the affected 6210 phones run software version 05.27
or higher are affected.
VCards are commonly used to transmit contact information from
one user to the next. Depending on the phone models used, they can
be transmitted using either infrared or SMS, though the
vulnerability discovered by @stake did not affect infrared
transmission.
Once received, vCard data can be saved in the recipient's phone
directory and transferred to another contact management software
such as Microsoft's Outlook or IBM's Lotus Notes products, said
Ollie Whitehouse, director of security architecture at @stake.
An attacker could crash the Nokia phone by creating a vCard that
was too large to be contained within a single SMS message and
contained fields with large numbers of format string
characters.
When the targeted phone received the last part of the malformed,
multipart vCard, it would produce a buffer overflow on the phone's
software, causing the phone to crash.
When crashing, the 6210 phones might unexpectedly restart, lock
up, or stop handling SMS messages, according to Whitehouse.
To recover from the attack, the phone's user would need to take
out the phone's battery and then restore it. The phone's software,
memory or stored data are not affected by the buffer overflow
attack.
Although not exploitable by casual mobile phone users, the
vulnerability would be easy for a moderately technical user to take
advantage of using software available on the internet.
Although the vulnerability is not rated critical, the flaw found
by @stake points to need for software code to be more scrutised on
devices such as mobile telephones and PDAs.
Companies that write software for those devices are not as
security concious as the makers of software for computer desktops,
Whitehouse said.
While the relative obscurity of mobile phone platforms and the
tools to exploit them keeps the number of attacks low, things might
not stay that way. The widespread deployment of mobile phones and
PDAs with vulnerable software will be fertile ground for
hackers.
While 6210 users can do nothing to prevent against an attack
using this vulnerability, mobile phone operators should consider
deploying SMS proxies to sniff out and stop malformed messages.