Playing against a backdrop of splashy iPhone SMS hacks demonstrated this week at Black Hat USA 2009, young researchers Zane Lackey and Luis Miras Thursday demonstrated attacks at the annual hacker conference in which they spoofed sender numbers and exploited flaws in GSM carriers' networks to bypass them in a MMS message loop.
The attack potentially makes any mobile device on a GSM network anywhere in the world capable of sending media files vulnerable to spoofing, phishing attacks and other scams.
"People really trust phones a lot more than they trust email or anything like that," Lackey said. "If I get a text that's supposed to be from a carrier number, chances are, I'm going to believe it."
Using Lackey and Miras' application, an attacker would control the "from" field in a message, as well as the timestamp, which, for example, would enable them to backdate messages.
The key to the hack is the attacker's ability to bypass the carrier in a message. Normally, MMS messages are sent by a user to their carrier's server. The carrier would process the content, resizing it if necessary or checking it for spam. The carrier would then notify the recipient's device that content is waiting. That device would then contact the carrier server and download the content; some phones pull content automatically, others present the user with a message and the user must click through to get the content.
In the attack, the application sends an MMS message that runs on top of SMS, Miras said, telling the target phone to pull content from the attacker's server rather than the carrier. By tricking the user's phone, the carrier protections in the cloud are bypassed.
"Notification messages are only supposed to be generated and sent by a carrier," Lackey said. "We sent our own."
Carriers AT&T and T-Mobile Inc. run GSM networks, the most popular standard for mobile networks worldwide. However, the implications aren't as widespread in the U.S., as AT&T does not currently support MMS messaging, and competitors Verizon Wireless and Sprint have networks based on the CDMA standard. The issue is likely of greater concern internationally, where GSM is the de facto standard for global wireless networks.
Lackey and Miras said they have shared their findings with a carrier, which they refused to name. They said the carrier has reached out to the GSM Alliance, which is notifying its members of the issue.
No proof-of-concept code has been released, and the two say they'll wait for carriers to patch their architectures before releasing one. They said mobile phones will not receive patches for this flaw, as the flaw resides in the carriers' networks, not on the devices. They added that carriers, meanwhile, are monitoring for attacks of this nature.