If at first you don't succeed; call it version 1.0
Thursday, 22 November 2007

No. I'm not going to show you how to use Cross-Site Request Forgery (CSRF) in order to attack mobile phones while using a mobile phone to surf the web. Instead, I'm going to talk about how CSRF vulnerabilities can be used to cause denial-of-service attacks against mobile phones, by flooding the phone with SMS and service messages.

Mobile phone service providers in Israel, and throughout the world, provide a web interface to send SMS messages. Fortunately, they limit the SMS sending web interface to 20 messages per day, and they also require the user to login to their web site in order to send an SMS.

Unfortunately, at-least when referring to the Israeli providers, they also give attackers a way to send endless SMS and service messages without any kind of authentication and with a simple HTTP request. While this method doesn't allow to specify the message of the SMS, it does allow the attacker to specify the targeted phone number.

All Israeli mobile phone providers (Orange, Cellcom, and Pelephone) place at-least one advertisement on their website, which require their customer to enter their mobile phone number in order to get a specific service, a coupon, or a password for an online service. This ad (mostly written in Flash) simply sends an HTTP request to the mobile provider web servers which then sends the SMS message to the given phone number. Again, this web service is not limited and the messages can be sent to any number over and over again.

With this CSRF vulnerability, an attacker can send multiple requests to the server in order to make the use of the mobile phone not practical. This is because the victim will get so annoyed (sometimes even without a way to make a phone call) that he will probably just shut the phone down. The attacker can also place an IFRAME or image on a website (e.g. MySpace profile, a forum post, etc.) which will be used to mimic the ad's HTTP request. So, on every visit of this page, the victim will get an SMS. On high volume website pages (e.g. MySpace or Facebook profiles), this will cause a lot of requests to be sent to the mobile provider web service and the victim will again get too much messages which will make its mobile phone useless.

Other mobile phone providers around the world might also have advertisements which allow sending SMS without any limitations. My suggestion to the mobile phone providers is to limit the ads SMS sending web service to one SMS per phone number per day.


P.S. the GNUCitizen team has published a great explanation on CSRF and how it can be exploited.

Thursday, 22 November 2007 23:23:32 UTC | Comments [3] | Security#
Friday, 23 November 2007 09:56:03 UTC
Excelent article and I bet every phone provider is vulnerable to this problem. This can be kind of anoying to the mobile phone user.

Take care
Monday, 26 November 2007 02:57:56 UTC
Very interesting. A loop in javascript would extend the impact of the above scenario. eg:
iframe name="blah" src="http://www.url.com/path"
close iframe
function frmload() {
close javascript
Thursday, 20 December 2007 12:21:19 UTC
Some of the larger mobile phone service providers in Sweden have added protection against this Denial of Service attack with the help of captchas. I hope other providers will add similar protection in the future.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.