Google Nexus phones vulnerable to denial-of-service attack via Flash SMS messages

Receiving 30 special SMS messages in quick succession causes some Google Nexus phones to reboot or act strangely

Attackers could force phones from Google's Nexus line to reboot or fail to connect to the mobile Internet service by sending a large number of special SMS messages to them.

The issue was discovered by Bogdan Alecu, a system administrator at Dutch IT services company Levi9, and affects all Android 4.x firmware versions on Google Galaxy Nexus, Nexus 4 and Nexus 5. Alecu will present the vulnerability Friday at the DefCamp security conference in Bucharest, Romania.

Class 0 SMS, or Flash SMS, is a type of message defined in the GSM specification that gets displayed directly on the phone's screen and doesn't automatically get stored on the device. After reading such a message, users have the option to save it or dismiss it.

On Google Nexus phones, when such a message is received, it gets displayed on top of all active windows and is surrounded by a semi-transparent black overlay that has a dimming effect on the rest of the screen. If the message is not saved or dismissed and a second message is received it gets placed on top of the first one and the dimming effect increases.

When such messages are received, there is no audio notification, even if one is configured for regular incoming SMS messages. This means that users receiving Flash messages won't know about them until they look at the phone.

Alecu found that when a large number of Flash messages -- around 30 -- are received and are not dismissed, the Nexus devices act in unusual ways.

The most common behavior is that the phone reboots, he said. In this case, if a PIN is required to unlock the SIM card, the phone will not connect to the network after the reboot and the user might not notice the problem for hours, until they look at the phone. During this time the phone won't be able to receive calls, messages or other types of notifications that require a mobile network connection.

According to Alecu, a different behavior that happens on rare occasions is that the phone doesn't reboot, but temporarily loses connection to the mobile network. The connection is automatically restored and the phone can receive and make calls, but can no longer access the Internet over the mobile network. The only method to restore the data connection is to restart the phone, Alecu said.

On other rare occasions, only the messaging app crashes, but the system automatically restarts it, so there is no long term impact.

A live test at the conference performed on a Nexus 4 phone with the screen unlocked and running Android 4.3 did not immediately result in a reboot. However, after receiving around 30 class 0 messages the phone became unresponsive: Screen taps or attempts to lock the screen had no effect. While in this state, the phone could not receive calls and had to be rebooted manually.

A second attempt with the screen locked also failed to reboot the phone because only two of over 20 messages were immediately received. This may have been caused by a network issue or operator-imposed rate limiting. The messages did arrive later and the phone rebooted when unlocking the screen.

Alecu said that he discovered this denial-of-service issue over a year ago and has since tested and confirmed it on Google Galaxy Nexus, Nexus 4 and Nexus 5 phones running various Android 4.x versions, including the newly released Android 4.4, or KitKat.

Around 20 different devices from various vendors have also been tested and are not vulnerable to this problem, he said.

This doesn't exclude the possibility that some devices from other vendors are vulnerable, but so far it has only been confirmed on the previously mentioned Google Nexus phones.

Alecu claims he contacted Google several times since he found the flaw, but mostly got automated responses. Someone from the Android Security Team responded in July and said the issue would be fixed in Android 4.3, but it wasn't, Alecu said, adding that this contributed to his decision to disclose the problem publicly.

"We thank him for bringing the possible issue to our attention and we are investigating," a Google representative said via email.

In the absence of an official fix, Alecu worked with Michael Mueller, an IT security consultant from Germany, to create an application that can be used to block this kind of class 0 SMS denial-of-service attack.

The app is called Class0Firewall and is already available in Google Play. It can be used to configure a threshold for received class 0 messages, after which all subsequent messages are blocked for a period of time chosen by the user.

Because the attack causes the messaging app to crash and the phone to reboot, it suggests that something really bad happens inside the phone's memory, Mueller said via email. The bug should be further investigated to see if it can also lead to code execution, he said. "I see this as a serious vulnerability that has to be fixed by Google."

"Bogdan [Alecu] came up with the idea and asked if I could develop an app that prevents the class 0 messages from entering the device and thus prevent the denial-of-service attack," Mueller said. "He told me about his discovery and we came to the conclusion that it would be good to have a free app available at the time the vulnerability is made public to enable people to protect themselves from such an attack."

Alecu already published some videos of tests he performed on Galaxy Nexus and Nexus 4 phones.

Join the CSO newsletter!

Error: Please check your email address.

Tags Android OSGoogleLevi9securitymobile securityExploits / vulnerabilities

More about GalaxyGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place