Nokia phones vulnerable to DoS attack

A vulnerability in the software used by Nokia's 6210 model mobile phone could make those phones vulnerable to a denial of service...

A vulnerability in the software used by Nokia's 6210 model mobile phone could make those phones vulnerable to a denial of service (DoS) attack, similar to the types of attacks that are commonly launched against computer networks.

The vulnerability exists in code that handles the processing of vCards, virtual business cards that can be transmitted from one mobile phone user to another using the popular Short Message Service (SMS), according to the advisory posted by security company @stake.

Nokia said the affected 6210 phones run software version 05.27 or higher are affected.

VCards are commonly used to transmit contact information from one user to the next. Depending on the phone models used, they can be transmitted using either infrared or SMS, though the vulnerability discovered by @stake did not affect infrared transmission.

Once received, vCard data can be saved in the recipient's phone directory and transferred to another contact management software such as Microsoft's Outlook or IBM's Lotus Notes products, said Ollie Whitehouse, director of security architecture at @stake.

An attacker could crash the Nokia phone by creating a vCard that was too large to be contained within a single SMS message and contained fields with large numbers of format string characters.

When the targeted phone received the last part of the malformed, multipart vCard, it would produce a buffer overflow on the phone's software, causing the phone to crash.

When crashing, the 6210 phones might unexpectedly restart, lock up, or stop handling SMS messages, according to Whitehouse.

To recover from the attack, the phone's user would need to take out the phone's battery and then restore it. The phone's software, memory or stored data are not affected by the buffer overflow attack. 

Although not exploitable by casual mobile phone users, the vulnerability would be easy for a moderately technical user to take advantage of using software available on the internet.

Although the vulnerability is not rated critical, the flaw found by @stake points to need for software code to be more scrutised on devices such as mobile telephones and PDAs.

Companies that write software for those devices are not as security concious as the makers of software for computer desktops, Whitehouse said.

While the relative obscurity of mobile phone platforms and the tools to exploit them keeps the number of attacks low, things might not stay that way. The widespread deployment of mobile phones and PDAs with vulnerable software will be fertile ground for hackers.

While 6210 users can do nothing to prevent against an attack using this vulnerability, mobile phone operators should consider deploying SMS proxies to sniff out and stop malformed messages.

Read more on Business applications