Losing at vCards

“You are browsing with your shiny smartphone while being connected to a wireless LAN.
Suddenly you receive a single SMS carrying a new contact information.
You don’t even have the time to check it, that your SMS inbox starts filling with unwanted messages and you don’t seem to be able to stop it…”

This is a possible scenario that may happen if you are victim of a vCard Denial of Service, described here.

The attack can be carried on, possibly in a more effective way, when a data connection is active with a Mobile Operator that assigns a public IP address, reachable over the Internet, and does not provide any filtering of incoming packets.
In this case the attack can become a truly remote Denial of Service, that can be performed over the Internet, at no cost for an attacker.
Additionally, the protocol used (UDP) allows for easy IP source address spoofing, making more difficult the tracking of an attacker or the implementation of proper firewall policies.

The following video provides a short insight of what may happens to an handset when is targeted by such an attack.

Two targets, a HTC Touch Pro (right) and a Cruise (left), are connected to a local network via WiFi, when the attack starts. The SMS inbox suddenly starts filling and the SMS count rises to very high values in a short time.
During the video recording session a problem has likely occurred on the Touch Pro user interface (at 00:35 seconds), the usual display changes, leaving only the incoming SMS counter on the screen.
The SMS incoming ringtones have been left enabled, but they could have been remotely disabled by choosing the proper size for incoming vCards.

The attack can be easily stopped by turning off the phone, but the most annoying thing is that you have to manually delete all those SMS, selecting each of them one by one.
If a prompt reaction has not taken place during the attack, the number of received SMS may be very large.
In this case a manual deletion can be very time consuming and the selection of all the messages for deletion may be the only feasible solution, causing a loss of all the received messages present in the inbox.
But also by performing this action, a large amount of time is required for purging all the SMS (even hours), making the complete formatting of the device the only possibility left, for getting rid of the SMS in a reasonable time.
But while this option provides a shorter attack recovery time it eventually leads to the complete loss of the data present on the device.

The real issue arises if the attacker chooses to use very large vCards (32Kb) for performing the DoS.
In facts, with such large messages no ringtone is played for incoming SMS, even if the phone was configured to do so, possibly leaving the user unaware of what is happening to his handset.

The vulnerability is caused by the exposure of the wap-vcard service assigned to port UDP/9204, reachable both from via WiFi and GSM/UMTS bearer.
Turning off the phone is obviously not an option for an effective defense, because it stops the ongoing attack but does not prevent from being attacked again.
A personal firewall solution has been showed to correctly do the job during our test sessions, effectively protecting the target from the denial of service.

Leave a Reply