If at first you don't succeed; call it version 1.0
Thursday, 22 November 2007

No. I'm not going to show you how to use Cross-Site Request Forgery (CSRF) in order to attack mobile phones while using a mobile phone to surf the web. Instead, I'm going to talk about how CSRF vulnerabilities can be used to cause denial-of-service attacks against mobile phones, by flooding the phone with SMS and service messages.

Mobile phone service providers in Israel, and throughout the world, provide a web interface to send SMS messages. Fortunately, they limit the SMS sending web interface to 20 messages per day, and they also require the user to login to their web site in order to send an SMS.

Unfortunately, at-least when referring to the Israeli providers, they also give attackers a way to send endless SMS and service messages without any kind of authentication and with a simple HTTP request. While this method doesn't allow to specify the message of the SMS, it does allow the attacker to specify the targeted phone number.

All Israeli mobile phone providers (Orange, Cellcom, and Pelephone) place at-least one advertisement on their website, which require their customer to enter their mobile phone number in order to get a specific service, a coupon, or a password for an online service. This ad (mostly written in Flash) simply sends an HTTP request to the mobile provider web servers which then sends the SMS message to the given phone number. Again, this web service is not limited and the messages can be sent to any number over and over again.

With this CSRF vulnerability, an attacker can send multiple requests to the server in order to make the use of the mobile phone not practical. This is because the victim will get so annoyed (sometimes even without a way to make a phone call) that he will probably just shut the phone down. The attacker can also place an IFRAME or image on a website (e.g. MySpace profile, a forum post, etc.) which will be used to mimic the ad's HTTP request. So, on every visit of this page, the victim will get an SMS. On high volume website pages (e.g. MySpace or Facebook profiles), this will cause a lot of requests to be sent to the mobile provider web service and the victim will again get too much messages which will make its mobile phone useless.

Other mobile phone providers around the world might also have advertisements which allow sending SMS without any limitations. My suggestion to the mobile phone providers is to limit the ads SMS sending web service to one SMS per phone number per day.


P.S. the GNUCitizen team has published a great explanation on CSRF and how it can be exploited.

Thursday, 22 November 2007 23:23:32 UTC | Comments [3] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.