|
3GPP TS 23.040 specifies a method for sending emails via SMS in
section 3.8 ("SMS and Internet Electronic Mail interworking"). In its
most basic form, such a SMS message starts with the from- (MT-SMS) or
to-email-address (MO-SMS), followed by a space character, and then the
message body. The TP-Procotol-Identifier of the SMS message has to be
set to "Internet Electronic Mail" (value: 50 / 0x32).
It is not specified how such a message should be displayed when
received by the phone. Before S60 2.6, Series60 devices displayed such
messages exactly as they were sent. Starting with S60 2.6, when the
part of the message that should contain the from-address looks
anything like an email address (i.e. it contains an "@" somewhere),
this address is then displayed as the message sender instead of the
usually shown TP-Originating-Address.
If this email address is longer than 32 characters, Series60 2.6, 2.8,
3.0 and 3.1 devices fail to display the message or give any indication
on the user interface that such a message has been received. They do,
however, signal to the SMSC that they received the message by sending
an RP-ACK.
Devices running S60 2.6 or 3.0 will not be able to receive any other
SMS message after that. The user interface does not give any
indication of this situation. The only action to remedy this situation
seems to be a Factory Reset of the device (by entering "*#7370#").
Devices running S60 2.8 or 3.1 react a little different: They do not
lock up until they received at least 11 SMS-email messages with an
email address that is longer than 32 characters. The device will not
be able to receive any other SMS message after that - upon receiving
the next message, the phone will just display a warning that there is
not enough memory to receive further messages and that data should be
deleted first. This message is even displayed on an otherwise
completely "empty" device.
After switching the phone off and on again, it has limited capability
for receiving SMS messages again: If it receives a SMS message that is
split up into several parts (3GPP TS 23.040, 9.2.3.24.1 Concatenated
Short Messages) it is only able to receive the first part and will
display the "not enough memory" warning again. After powercycling the
device again, it can then receive the second part. If there is a third
part, it has to be powercycled again, and so on.
Also, an attacker now just needs to send one more "Curse Of Silence"
message to lock the phone up again. By always sending yet another one
as soon as the status report for delivery of the previous message is
received, the attacker could completely prevent a target from
receiving any other SMS/MMS messages.
Only Factory Resetting the device will restore its full message
receiving capabilities. Note that, if a backup is made using Nokia
PC-Suite *after* being attacked, the blocking messages are also
backuped and will be sent to the device again when restoring the
backup after the Factory Reset.
Note that not being able to receive SMS messages also means not being
able to receive MMS messages, since they are signalled by sending an
SMS message to the device.
"Curse Of Silence" messages can be generated with any phone or
cellular modem that supports 3GPP TS 27.005 AT commands and with most
Nokia phones also directly from the user interface. For example, on
S60 devices, when in the message editor, the type of the message can
be switched to "E-mail" under "Options" -> "Sending options" ->
"Message sent as". The 6310i conveniently offers a "Write email" menu
entry in the messaging menu.
The simplest form of content for a Curse Of Silence would be something
like "123456789@123456789.1234567890123 " (the digits are used only to
illustrate the length of the "email address" of more than 32
characters). Note the space at the end of the message!
[ 本帖最后由 zoymin 于 2009-1-2 02:47 编辑 ]
|
举报有奖点击此处
