Siemens S55 phones send unauthorized SMS messages

Edmund X. DeJesus, Contributing Writer

Siemens S55 cellular phones have a vulnerability that can cause the phone to send Short Message Service (SMS) protocol messages that the user doesn't intend. But first the user must be tricked into running malicious Java code to exploit the vulnerability.

    Requires Free Membership to View

The Siemens S55 includes Java technology that supports a number of applications for business, travel, entertainment and games. The cell phone's Java virtual machine includes a full-featured API so that third-party software developers can create additional applications. SMS permits sending messages no longer than 160 alphanumeric characters with no images or graphics.

The Phenoelit Group of gray-hat hackers has discovered that there are problems in the Siemens S55 time.jar java file. Usually, sending SMS messages or placing calls via Java applications requires user permission, which is obtained through an on-screen dialog. However, filling the screen with other items obscures this dialog, so that the user may unwittingly approve sending SMS messages to another number. For this to work, the attacker must trick the user into installing the malicious Java software, which isn't a difficult feat. Members of Phenoelit originally presented this vulnerability at a black hat convention in Las Vegas in 2003.

While not a critical security vulnerability, this problem does represent a security bypass, and may be the first of similar exploits on cellular phones and other devices sophisticated enough to use Java technology. As always, users should not download and run untrusted applications, even on their phones.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: