Cellfone hack: SMS handling vulnerability allows 3rd parties to eavesdrop

[Colonel Panic]

German security company, SecurStar, claimed to have uncovered the first serious threat to the security of cellphone conversations, saying that "Simply by sending an invisible and unnoticeable SMS message to a particular cellphone, spying on cell phone users has become child's play."
......
"During the development of our newest product, PhoneCrypt,  designed to secure phone conversations, we have deeply analysed the GSM protocols and the internal architecture of mobile telephones. Here we found several fundamental security flaws and discovered that sending a simple "properly" formatted service SMS, we can remotely control any phone (new and old, regardless of the operating system Symbian/windows/etc). This is basically what we showed at the Security section of the Systems security conference in Munich."
.......
"We can sent a service SMS to any phone (regardless of the operating system) and reprogram the SIM card and/or parts of the phone. (A service SMS is a specially formatted SMS that contains data instructions for the reconfiguration /programming and/or update of phones and SIM cards.).

"While usually a service SMS should be sent by the provider to upgrade the SIM card and configure the phone, normal users can also simulate this and send a service SMS. Here the phone and SIM card of the victim are reprogrammed in a way that each entering or exiting phone call are silently conferenced with the attacker.

"It is the victim's phone that creates a second 'hidden' conference call to the attacker. Also the victim pays for this second telephone call. (Equivalent to a 3-way conference call) In order not to show on the monthly bill, the attacker can chose to get called on an anonymous 0800 number that is redirected through VoIP. In this way the call is not charged to the victim and the number does not appear on the monthly statement."

Article:
Page 1: http://www.itwire.com.au/content/view/7210/990/1/0/
Page 2: http://www.itwire.com.au/content/view/7210/990/1/1/

2nd article:
http://www.itwire.com.au/content/view/7216/127/

[rbcp]

Wow, scary.  They don't mention which carriers are vulnerable.  Is it all carriers?  Cause mine doesn't use a SIM card.  Someone needs to do this!  I want to see a demo of it.

[badakku]

Something about this just seems wrong. Im pretty damn sure that there are not SMS messages that control your phone for updates, etc.. GSM phones generally take care of such things either when prompted by the user, or during their startup/registration.

[TRS]

Something about this just seems wrong. Im pretty damn sure that there are not SMS messages that control your phone for updates, etc.. GSM phones generally take care of such things either when prompted by the user, or during their startup/registration.

Nothing is wrong - there are most definately SMS messages that can configure phones.  I deal with products that do it all the time...  Lots of apps do remote management of phones use this technology a lot to remotely initiate and configure apps on the handset, and the user doesn't even know.  These messages are VERY easy to create  

Most Symbian devices that comply to the OMA standards would be vulnerable to this kind of thing. http://www.openmobilealliance.org/

[.]

I've got a related question about this topic; can you interfere a Bluetooth signal in order to listen/talk and messing up a conversation of somebody using a Bluetooth headset/speakerphone?

[BillCancer]

that would be pretty kewl to see a demo of. some how too info would be pretty nice too. also pretty scary at the same time

[gangals]

For bluetooth, in theroy, yes, well that's that answer to every question...

but in practicality, no, because the connection is encrypted.

http://en.wikipedia.org/wiki/Bluetooth#Pairing

[.]

I'm reading that right now, and cracking the PIN is easy and hardly necessary, most of the times the PIN is 0000 or similar but the problem is that the headset has to be on pairing mode so you need physical access to it and even then, the connection is exclusive with only one mobile at the time so you can't crack into a conversation. I've sent an enquiry to a couple of friends working in this kind of things but I hardly think that they will reply me with the answer we are looking for.
I will share if I get it promise.
Our quest is how to force the headset to share the data disregarding that it should work as in an ad-hoc net.
Anybody here knows about scanners that works on the 2.45 GHz range? I will try to get the frequency graphs for the widdcom chipset (used in most of the headsets).

Let’s do this guys!

[gangals]

Unless there's some trick, a headset can only pair with one device at a time..

But ya, I guess that you would need to sniff their packets and then decrypt them... or if you are able to pair with their headset by cloning their phones mac address, then you could do a man in the middle attack.