SMS Client Security

In this project we analyzed the security of Short Message Service (SMS) client implementations on mobile and smartphones. SMS is one of the most used features in the mobile telephony world.

The project is separated into three parts. Security analysis of SMS on smartphones. Security analysis of SMS on feature phones. SMS vulnerability countermeasures.

The project lead to multiple publications and several talks and further to the completion of one Diploma Thesis. This project got a lot of media attention and was featured in many different online and print articles and a few radio shows.

Publications:

• SMS-of-Death: from analyzing to attacking mobile phones on a large scale Collin Mulliner, Nico Golde, Jean-Pierre Seifert, In the proceedings of the 20th USENIX Security Symposium, August 8–12, 2011, in San Francisco, CA
• SMS Vulnerability Analysis on Feature Phones, Diploma Thesis Nico Golde February 2011 Berlin, Germany
• Countering SMS Attacks: Filter Recommendations Nico Golde and Collin Mulliner Technical Report: 2011-04 ISSN: 1436-9915 Berlin, Germany April 2011
• Injecting SMS Messages into Smart Phones for Security Analysis C. Mulliner and C. Miller In the Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT) Montreal, Canada August 2009

Talks:

• SMS-o-Death: from analyzing to attacking mobile phones on a large scale Nico Golde and Collin Mulliner CanSecWest 2011 Vancouver, Canada March 9-11 2011
• Attacking SMS Collin Mulliner SISCTI 36 Monterrey, Mexico March 3-5 2011 (invited)
• SMS-o-Death: from analyzing to attacking mobile phones on a large scale Nico Golde and Collin Mulliner 27th Chaos Communication Congres (27c3) Berlin, Germany December 27-30 2010
• Vulnerability Analysis of SMS Implementations on Mobile and Smart Phones Collin Mulliner Columbia University New York City, New York, USA August 9th, 2010
• Vulnerability Analysis of SMS Implementations on Mobile and Smart Phones Collin Mulliner Stanford University Palo Alto, CA, USA August 5th, 2010 (invited)
• Vulnerability Analysis of SMS Implementations on Mobile and Smart Phones Collin Mulliner Samsung R&D San Jose, CA, USA August 4th, 2010
• Fuzzing the Phone in your Phone Collin Mulliner 26th Chaos Communication Congress (26C3) Berlin, Germany December 28th 2009
• Fuzzing the Phone in your Phone Collin Mulliner RSS (Recurity Labs Security Symposium) Berlin, Germany October 27th 2009 (invited)
• Fuzzing the Phone in your Phone Collin Mulliner SEC-T Stockholm, Sweden September 2009 (invited)
• Fuzzing the Phone in your Phone Collin Mulliner, Charlie Miller Black Hat USA 2009 Las Vegas, Nevada, USA July 2009

Media (selected):

• Hintertüren und Killer-SMS Hacker knacken Handys und Smartphones 03.11.2011 (Der Spiegel)
• "SMS of Death" Could Crash Many Mobile Phones 01.04.2011 (TechnologyReview)
• Simplest Phones Open to 'SMS of Death' 12.28.2010 (Wired)
• Viele Handymodelle lassen sich per SMS lahmlegen 12.28.2010 (Handelsblatt)
• Researchers attack my iPhone via SMS 07.29.09 (cnet.com)
• How To Hijack 'Every iPhone In The World' 07.28.09 (forbs.com)

Downloads:

• SMS-o-Death demo video: http://www.youtube.com/watch?v=vseY9kFCkIc
• SMS-o-Death talk from 27c3: http://mirror.fem-net.de/CCC/27C3/mp4-h264-HQ/27c3-4060-en-attacking_mobile_phones.mp4

People:

• Collin Mulliner
• Nico Golde