25c3: Sms "killer Application" For Many Nokia Mobiles


Recommended Posts

1 January 2009, 17:37

25C3: SMS killer application for many Nokia mobiles

Some of the SMSs expected to be sent to mobile phones in the New Year period are unlikely to contribute to their recipients' holiday joy. The Chaos Computer Club (CCC) is warning, in at least one vulnerability report, of dangerous emails, sent as SMSs, that block reception of further SMSs or MMSs on many current Nokia mobile phones. Tobias Engel, a member of CCC, discovered the security leak and baptized it the "Curse of Silence because it shuts off the channel for incoming SMSs on the attacked mobile phone. The CCC has also issued a demo video; Engel said on Tuesday at the 25th Chaos Communication Congress (25C3) in Berlin that SMS standards are expressed in broad terms, which means a number of different types of short messages can be sent. Although the relevant functions have rarely, if ever, been used by mobile owners, they are nevertheless in the standards. That makes it possible in principle to send, for example, emails as SMSs. If a short message is identified as an email in accordance with the standards, the sender's email address instead of the phone number is displayed to the addressee. Engel said Nokia implemented this feature in 2002 or 2003 without pursuing it further or advertising it, and while doing so they allowed an error to slip in. The SMS standard says a sender's address must not exceed 32 characters. If an email address is of greater length, the SMS into which the email is converted remains in intermediate memory. Any further SMSs or MMSs can then only be received following a factory reset.

More at Heise Security: http://www.heise-online.co.uk/security/25C...s--/news/112335

http://www.heise-online.co.uk/security/25C...s--/news/112335

Link to post
Share on other sites

25C3: Many RFID cards poorly encrypted

Karsten Nohl, the security investigator who had a big hand in cracking NXP's Mifare Classic chips, says many RFID smartcards from other manufacturers are also vulnerable to a simple hacker attack. He told the 25th Chaos Communication Congress (25C3) in Berlin that "Almost all RFID cards use weak proprietary encryption systems" and only the latest types were any better. For example, several generations of Legic, HID and Atmel cards have holes in their armour.

RFID cards are used today to control access to buildings, rooms, cars or electronic devices. Mifare chips are also widely used in payment systems, such as those in short-distance public transport. The general expectation is that such RFID tags, all operating on the same frequency of 13.56 MHz, will evntually be used as generic identifiers for products and people, and they are already in use in passports and credit cards. However, said Nohl, the chip manufacturers have so far criminally neglected the standard of encryption used by these chips and the standard of the reading systems, which ought to satisfy the requirements of both data protection and system security.

Heise security: http://www.heise-online.co.uk/security/25C...d--/news/112336

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...