Devastating mobile attack under spotlight
Dubious claim gains credence from unconvincing operator denials.
By Peter Judge | Techworld | Published: 14:30, 24 November 2006
All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.
The attack, outlined by a German security expert, would amount to the largest ever breach of privacy for billions of mobile phone users across the world. But it remains uncertain exactly how easy and how widespread the problem could be thanks to a concerted effort by mobile operators to muddy the issue while they assess its extent.
The official response of the mobile phone operators when asked about the threat is that the attack is phoney. But despite three days of inquiries by Techworld, none have provided any evidence that there is an adequate defence to it. One operator told us all its security experts were at a meeting in Denmark, although, oddly for mobile company employees, they were also incommunicado.
Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.
Phone operators use SMS messages to make changes to their customers' phone without user intervention. These changes can vary from small tweaks to an overhaul of the phone's internal systems. Hafner claims however that phones do not check the source of such messages and verify whether they are legitimate, so by sending a bogus message he is able to pose as a mobile operator and re-program people's mobiles to do what he wants.
"I found this on a very old Siemens C45 phone, and then tried it on a Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them authenticated the sender of the service SMS. We could not believe no one had found this possibility before us."
On all these phones, Hafner was able to launch an example Trojan called "Rexspy", which he says ran undetected. Rexspy copies all SMS messages to the attacker, and allows the attacker to eavesdrop on any phone conversation by instructing the phone to silently conference the attacker into every call.
However, Hafner's demonstration does not constitute proof - it was done with his own phones, which could have been prepared. Known software such as Flexispy does the same job as Rexspy, but has to be installed manually on a phone. Hafner has also refused to provide Techworld with a demonstration, claiming that he does not want the code put into the wild. Hafner has also put out a press release about his alleged discovery which heavily pushes his company's products.
Although unproven, Hafner's claim is simple to understand - as are the obvious security steps with which operators could prevent such an attack. Despite this, the operators have refused to discuss their strategy to prevent such an attack.
"We have been aware for some years of the potential for SMS's of all types to be subverted, and we are confident that have all the necessary measures in place to counter any such attack through our network," said a Vodafone spokesman who then declined to discuss what these measures are.
A spokesman for the GSM Association was equally unforthcoming: "It is impossible to tell from the information provided whether the claims are theoretically or practically possible or not. The GSMA's Security Group will look into the claims as a matter of course."
Orange said in a statement: "We take the security of our customers communications very seriously and are investigating the claims made by SecurStar regarding the capabilities of this Trojan Horse. Pending the outcome of this investigation, we are unable to comment on the validity of the specific claims that SecurStar have made. We can confirm that we have no evidence to suggest that any of our customers have had the security of their voice or SMS communications compromised using the mechanism SecurStar claim to be used by 'RexSpy'. Should our investigation show that there is any validity to the claims of SecurStar, we will take action to ensure that our customers are protected."
As those familiar with the details of the Watergate affair in the 1970s will recognise, the responses fit the classic pattern of a "non-denial denial".
"The telephone should ask who is sending a service SMS, and the operators should change the way they are sending these messages and put in signatures," said Hafner. The operators we have spoken to have refused to say whether they did this or not.
All operators have been keen to point out however that such an attack would be illegal. The GSMA warning that "if this were demonstrated in the UK it would be a serious criminal offence, which could be prosecuted under the Regulation of Investigatory Powers Act 2000 for over the air interception".
Hafner's eavesdropping Trojan is just a sample of what could be done, he says. It could cover its tracks by using a free number for the conference calls. "There's a further step I haven't demonstrated, but the Trojan has full access, so I can extract the contact details from the address list," said Hafner. "If I wanted, I could decide to reproduce service the SMS to all your contracts. This would transform the Trojan to a virus."
Security experts are sceptical, and question Hafner's motives: "Our experts believe that service providers should be able to block service SMSs coming from any unauthorised location because the communication would have to go through the official communication centre," said Carole Theriault, senior security consultant at Sophos.
SecurStar makes encryption software to scramble voice calls made on Windows Mobile phones, to prevent eavesdropping."It seems to me to be questionable that [SecurStar] would actually write a Trojan in order to market their product," said Theriault.