Noise on the line
Tuesday, February 3rd, 2009The Wappush vulnerability, present on some Sony Ericsson handsets, has been discussed on several “places” on the web , after the release of our advisory.
We feel that, in order to avoid possible misconceptions, a few points need being remarked:
Calls in video: Performing a phone call is not required in order to allow the attack to take place. Rebooting will happen regardless of the activities being performed on the phone at the moment of the attack.
SMS messages: It is not needed to open a received SMS, for triggering the vulnerability. As shown in the video, the handset crashes upon SMS message reception, and no SMS message is displayed or present in the Message Inbox after the handset reboots.
IP packets: It is not needed to send an IP packet to a broadcast address in order to trigger the vulnerability. A crafted unicast packet, directed to the handset IP address, is all that is needed.
Operator IP Networks: We don’t know of any Mobile Operator allowing broadcast IP packets in their networks. On the other hand, at the time writing, there are Mobile Operators that assign unfiltered public IP addresses to handsets connecting to the Internet.
Tools: Despite of what has been stated elsewhere, we are not aware of any public tool that is able to exploit the vulnerability, either by using IP or SMS.
Active exploitations: Up to now, we have not heard of any hostile activity that has taken place exploiting the issue.
With regard to these specific points, we would be interested to hear of anything different.