Securing the Mobile Enterprise

August 27, 2009

Smish out of water

Filed under: Mobile Security — Balaji Prasad @ 3:15 am
Tags: , , , , ,

The typical malware writer has gradually shifted the intent of malware from pure fame and geek curiosity to more diabolical ends. A few months ago, Kaspersky reported a trojan that can steal your money by exploiting a vulnerability in the SMS implementation on your phone. Such phishing attacks are called by a new term called “smishing”. Then again F-secure has earlier demonstrated another vulnerability in Series 60 phones that allows for a privilege escalation attack that allows complete access to the underlying file system. This vulnerability has been addressed in a firmware upgrade since.Smishing attacks are not that prevalent in the United States as it is in Europe or Asia, since SMS is not the preferred way of communication yet.  This is changing though… Carriers are  now including unlimited SMS plans for under $10 and this is encouraging SMS phishing.  The also exist legitimate services out there that facilitate bulk SMS tranmission.

         Traditional phishing attacks which can be easily identified by their broken links or non-rendering images or plain bad spelling (think Nigerian 419 emails), however these shortcomings are not that evident on SMS. Typically the messages themselves are concise and are usually entirely composed of text. It is also relatively easy to spoof the sender name, so that it may look like a legitimate source. This attack has been recently demonstrated in the Blackhat conference albeit on a jailbroken iPhone.
So how does one guard against this attack? Truth be told, there isn’t a single reliable way. Most brick-and-mortar legitimate companies will not use SMS to communicate with you (exception being your carrier). If you get an SMS from your bank, utility company or even your friend, soliciting for any information, simply ignore it and try to reach them offband (i.e. from another phone or email etc.). The cell phone industry has not developed standardized and robust protocols to guarantee the security of the SMS channel. Hopefully that will change soon.


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: