My-Symbian & My-Maemo

[grmmpf]

Hi all,

I just read about this vulnerability discovered by the german CCC in what it seems concerns all S60 variants. I'll also crosspost in S60v3-Communicators.

In Essence:
if your s60v3-handset gets hit by this kind of SMS your handset won't receive any SMS or MMS any further. The source explains that you have to reset your handset to factory defaults in order to recover the full functionality again.
The Security-Company FortiGate already introduced a tool against this vulnerability.

But read for yourself:
Original source:
https://berlin.ccc.de/~tobias/cursesms.txt
German article at Golem:
http://www.golem.de/0812/64345.html
Fortigate-Tool FortiCleanup against vulnerability:
http://fortiguardcenter.com/advisory/FGA-2008-31.html

I just installed the tool on my E90.

Regards

[My-Symbian]

[Michal Jerz]

Quote:

The Security-Company FortiGate already introduced a tool against this vulnerability.

Was it also them who invented the SMS?

Quote:

https://berlin.ccc.de/~tobias/cursesms.txt

Security Certificate error Had to use http:// instead of https://

[grmmpf]

Hi Michal,

yepp, I noticed the security certificate error also. I copied the link from the article at golem.de. Sorry for not changing the link from https to http (classic copy-n-paste-error).

Anyway, I guess we will be seeing some SMS originating from some script kiddies with this kind of content. Maybe there will even be the possibility of worse exploitation like buffer overflows or similar.

We'll see.
Regards

[im92109210]

I sense alot of sarcasm from Michal... Is this risk a hoax or something Michal?

[My-Symbian]

[grmmpf]

Hi im92109210,

just look at the links. The guys at CCC have a pretty good reputation and FortiGate is a wellknown security company (I do work with some of their appliances). So be assured it is no hoax (at least in my opinion).

Anyway if you want, you can try it out by yourself (of course only on your own devices). The description of how to do it, is in the original source link.

Regards

[grmmpf]

Hi all again,

First of all: I just want to present the worst case which hopefully won't happen but anyway I want to get people thinking a bit and Nokia maybe some more. So this is just my opinion.

I think IMHO that there might even be more coming after this (although I might be wrong). This is, as already mentioned, a bad glitch in the operating system uncovered by the guys at CCC. I myself am working for a security company and I usually take those vulnerabilities serious since these glitches might also lead to buffer or heap overflows which then again might lead to remote code execution.
Okay this of course is worst case and might not happen BUT on the other hand S60v3 is a platform which is widely used in cellphones not a lot unlike windows on PCs. So just painting the worst case, improbable as it may be, further: what if mobile phones might be used as a vehicle for anonymizing whatever form of criminal actions by hijacking them with remotely executable code? What if using remotely executable code as a man-in-the-middle attack in online banking done on cellphones? You can think of a lot of szenarios.

Again, these scenarios are maybe improbable but still though: a glitch is a glitch and this one in my opinion is a bad one because it can be done remotely. And of course: remote exploits always begin like that: someone finds a glitch and someone else finds a way to possibly exploit this glitch.

So in my opinion we and of course especially Nokia should take this glitch seriously and fix it. Such glitches should not be underestimated since there are some people around which might try to exploit it.

I for myself am thankful that FortiNet introduced a tool to prevent the CurseSMS: http://fortiguardcenter.com/advisory/FGA-2008-31.html (I'm not in whatever form related to FortiNet).

Regards

[ukjeeper]

Interesting article regarding this on Symbian Guru.com Worth a read:

http://www.symbian-guru.com/welcome/2008/12/f-secure-announces-curse-o f-silence-sms-s60-exploit.html

[Anagarika]

I believe F Secure has been providing antivirus for non-existent virus .. ?

[ceroberts75]

i finaly downloaded the f-secure, just to see what it is and what it does.


it was in the downloads section from the start...though, at least here in the US, we don't really run into cellular bugs. so after having it scan and getting "zero" bugs 2 times, i don't really see a use for it.

is it different from outside the US?

do you receive bluetooth bugs and other bugs there?

[BentL]

ceroberts75 wrote:

is it different from outside the US? do you receive bluetooth bugs and other bugs there?

F-Secure for S60 3rd Edition has been discussed in this thread and this thread. There are no viruses for the S60 3rd Edition platform. The special SMS message that turns off some of the Messaging application is most likely some bug that will get corrected in firmware updates, at least for the newer devices.

--
Bent Laursen

[BentL]

Nokia has issued a statement on this issue. Excerpt:

NOKIA STATEMENT ON S60 SECURITY
We have received the following statement on this issue:

Nokia has received an S60 on Symbian OS related vulnerability notice from the Chaos Computer Club (http://www.ccc.de/?language=en). The notice claims that devices with certain versions of S60 on Symbian OS are vulnerable to a remote Denial-of-Service (DoS) attack by sending of e-mails via SMS protocol.

Nokia is not currently aware of any malicious incidents on the S60 platform related to this alleged issue and we do not believe that it represents a significant risk to customers’ devices.

Nokia takes security very seriously in all phases of the mobile communication systems development process, and has been investigating the allegation made, using our normal processes and comprehensive testing.

Our testing has been concentrating on products that might have this issue. Based on the testing, Nokia believes that the vulnerability may be valid for some of the S60 on Symbian OS products. We are also working with the Symbian team to further investigate the alleged vulnerability. For example, the products running S60 3rd edition, feature pack 2, are unaffected by the alleged issue.

The alleged issue can be proactively prevented by network filtering. According to our knowledge, many operators are already implementing or looking to implement network filtering to prevent the issue.

Nokia is committed to continuously develop its products and services offerings to ensure a positive and secure user experience.

If you require further information, please contact your local Nokia Care

So the solution seems to be network filtering at the operators, at least until new firmware updates are released.

--
Bent Laursen