It’s amazing to me that F-Secure and other ‘security’ applications for S60 still exist. Who’s buying these apps, and why? Today’s episode is dubbed ‘the Curse of Silence‘, and reads just like any other scary story, told around a campfire with a flashlight facing the sky.
According to this post at F-Secure’s site, at the 25th Chaos Communication Congress in Berlin, a presentation titled ‘Security Nightmares 2009′ showed a demonstration of a ‘Curse of Silence‘ exploit that reportedly affects S60 2nd Edition phones, and even S60 3rd Edition, up to Feature Pack 1 (Feature Pack 2 phones are reportedly immune, as is S60 5th Edition). The exploit apparently involves sending a specially formatted SMS to the recipient, and renders the messaging capabilities of the phone completely useless.
This ‘attack’ cannot be achieved via an application, or over Bluetooth. Only by receiving an SMS. With the Nokia N95, the attacker must send a multitude of messages before the critical limit is reached, and the user is presented with a ‘Not enough memory to receive message(s). Delete some data first.’ and a blinking envelope in the top corner of the screen.
If you get attacked with this, you’ll need to hard reset your phone. You cannot use any backup/restore features, as that will reportedly only restore the offending messages, recreating the problem. Not to worry, though. Lucky for us, in addition to announcing the exploit, F-Secure has already updated its application to protect against and repair corrupted phones! Isn’t that sweet? You can even get a free trial of their application, or shell out a mind-numbing $57.06 for a 12-month license (which needs to be renewed annually, of course).
Don’t be fooled, and don’t go purchase (or even download) F-Secure for your S60-powered phone. In order for this exploit to happen, 1. you must know a ‘hacker’ who knows how to create this ‘specially formatted message’ 2. this ‘hacker’ must know your cell phone number 3. He/she must, at least for S60 3rd Edition handsets, send the attack multiple times, to your phone.
In other words, unless you’ve got your cell phone number plastered all over the place, or you’ve directly upset someone who knows how to do this, the odds of you being vulnerable to such an attack are extremely slim. You’d be more likely to drop your phone into a puddle of water, or a beer, than have to worry about thi exploit.
F-Secure is promising video footage of the attack soon, though it clearly doesn’t really matter. If you *do* go purchase F-Secure’s $60 annual license, be sure to come back to Symbian-Guru.com, as I’ve got a great deal on some snake oil that I’d like to talk to you about……..
UPDATE: here’s a video showing it in action:
