It looks like an obscure SMS feature could be used to force a denial-of-service outcome on a range of Google
The vulnerability centres on Class 0 SMS messages, more commonly known as Flash SMS. This message format, a part of the GSM specification, requires that the message be displayed instantly on the mobile handset’s screen rather than requiring user interaction to display. The messages are not routinely saved to the device – the user is usually given an option to do so, or dismiss the message.
Flash SMS messages aren’t routinely used in Australia, but may be typically used by carriers to send messages direct to handsets in some circumstances. There are also some apps that can generate them from handsets, though.
Google Nexus handsets display Flash SMS atop all active windows, dimming the content behind so as to make the message appear like a popup. This is all well and good — the user can simply dismiss the message and continue with what they were doing — but if the user isn’t actively using their phone, or doesn’t notice the incoming message (there’s no audio notification for these messages), and further messages come in, then the latter messages are displayed over the top of existing Flash SMS messages waiting to be dismissed, and the background app or display is dimmed further.
Alecu found that where around 30 such messages are received without being dismissed, things start to go awry. The most common outcome is that the handset will spontaneously reboot, and if the user has a PIN attached to their SIM then their phone will remain disconnected from the mobile network until this PIN is supplied, potentially denying all incoming calls and messages to the handset if the user doesn’t notice the reboot. Less common outcomes are the mobile data network being disconnected, requiring a restart of the phone to clear the issue, or the messaging sub-system crashing (but this is automatically relaunched by Android, causing no issue). These outcomes aren’t guaranteed as there’s a number of variables that can influence the outcome, and some carriers rate-limit delivery of such messages.
Alecu claims to have advised Google many times of the issue which has not, as yet, been resolved. He says that a member of the Android Security Team advised him in July that the issue would be resolved in Android 4.3, but as this is yet to eventuate, Alecu has made the issue public.
In our opinion, this vulnerability is not particularly serious for Australian users. Here’s why:
- Flash SMS messages are not, these days, particularly easy to send. Most Android handsets can’t send them by default, and require rooting the handset, installing a custom module, and then purchasing an app capable of generating the messages. It’s not impossible, but it’s also not ridiculously easy.
- Unless you’ve really annoyed someone, it’s unlikely they’d go to the effort of trying to do this to your handset. However, they certainly could if they were so minded.
- There’s no exploit to this vulnerability; that is, there’s no way for an attacker to gain control of your device, obtain any of your personal information, or do any permanent damage to your phone. Worst case scenario is a quick reboot.
- The vulnerability only seems to affect Google Nexus handsets; phones from other manufacturers, which are far more common, do not appear to be affected.
Since the vulnerability was made public, attention has been drawn to apps in Google Play designed to protect from malicious exploitation of the vulnerability. If you’re still concerned about your device, check out Class0Firewall and other similar apps.
We’d be surprised if this issue isn’t fixed fairly quickly, now that it has become public knowledge.