Wappush!

WAP Push service can be used for delivering unsolicited data to the handset, and is typically used by Operators for providing advanced services (eg: e-mail, MMS).

The MSL-2008-001 advisory reports a Denial of Service vulnerability discovered in several SonyEricsson handsets, that allows an attacker to remotely reboot a vulnerable handset by sending a malformed WAP Push message.
Both SMS messages and UDP datagrams can be used as a transport mechanism for delivering WAP Push messages.
The vulnerability can be remotely triggered both via SMS and UDP; in the latter case the malformed message need to be sent to port 2948, that has been found open on all the handsets listed in the advisory.

The risks associated to an “UDP-based” attack scenario are not negligible in case the Operator allows reachability of the handset IP address, without doing proper filtering.
An attacker may be able to remotely reboot the handset by simply sending a carefully crafted IP datagram to the handset IP address.

Additionally:
- the handsets accept IP packets directed to a broadcast address. If broadcast packets are allowed in the network, a single UDP datagram may be sufficient for rebooting all the handsets in the target subnet.
- UDP protocol is connectionless and a single datagram is sufficient for triggering the vulnerability. Under these conditions source IP spoofing is possible, increasing the difficulties of implementing proper firewall policies and attackers tracking.

In the “SMS-based” attack scenario, an SMS, carrying the malformed WAP Push message, is able to trigger the vulnerability.
The SMS buffering performed by the Operator network brings, as a side effect, the possibility for an attacker to perform an extended Denial of Service attack against a single target.
In facts, if multiple SMS are sent to the victim, the first one will reboot the handset making it unavailable for receiving further messages.
The other messages will queue on the network side and delivery will be attempted as soon as the handset re-attaches to the network, leading to continous rebooting.
This may allow an attacker to effectively disable the use of the handset for an extended period of time.

The following video provides a demonstration of the above scenarios.
In the first part of the video, 3 handsets are initiating a call; they are reachable over an IP bearer and they reside on the same subnet.
Initiating calls is never necessary in order to trigger the vulnerability; this step has been inserted in the video only to provide a better perception of the attack effectiveness.
A single IP packet, carrying the malformed WAP Push message over UDP (destination port 2948), is sent to the broadcast address. This leads to the immediate reboot of all the 3 handsets.
In the second part multiple malicious SMS messages are sent to the handset, while it is performing a call. The handset starts rebooting each time an SMS is received (just two times are shown in the video).

The vulnerability can be triggered regardless of the “Push” settings, usually available in the “Messages” section of the Main Menu. These settings can avoid the process of WAP Push messages, but are uneffective in stopping the described attack.
Unfortunately, we are not aware of any security solution or countermeasure on the handset that could help in mitigating the issue.
We are not aware of software fixes for the vulnerable handsets, this suggested us to temporarily delay the disclosure of the issue technical details.

2 Responses to “Wappush!”

  1. Warning - WAP Push message can reboot your Sony Ericsson phone Says:

    [...] security researchers at Mobile Security Lab have discovered a vulnerability that “allows an attacker to remotely reboot a vulnerable [...]

  2. Sony Ericsson phones vulnerable to SMS reboots | Electricpig Says:

    [...] Mobile Security Lab Share and [...]

Leave a Reply