Google’s Nexus Android phones are susceptible to a novel attack that floods the phone with text messages, forcing it to restart or lose its mobile network connection.
First reported by PC World, Google’s Nexus phones are vulnerable to a theoretical attack using the Flash SMS protocol. By flooding a target phone with around 30 of these special messages, an attacker can force the phone to restart or lose its mobile network connection.
Bogdan Alecu, an IT systems administrator at Dutch IT company Levi9, discovered the vulnerability and will be presenting a talk on it at the DefCamp international hacking and information security conference in Bucharest, Romania.
Flash SMS, also known as Class 0 SMS, is a category of text message that is immediately displayed on the message recipient’s screen but is not saved on the phone. It can be used for temporary or transitory messages, including harsh weather warnings. Because Google’s Nexus phones, and likely other handsets that Alecu has not yet tested, do not give an audio cue when Flash SMS notifications are received, it is possible for an attacker to deliver multiple messages in quick succession and disrupt a phone’s regular activities.
The attack is a largely theoretical one; sending multiple Class 0 SMS messages is not as easy as spamming the “send” button in your messaging app. Not all phones are enabled for Class 0 SMS; all recent HTC devices are able to send and receive the messages out of the box, for example, but Samsung’s Galaxy S4 does not support the standard.
It’s a minor issue with an otherwise excellent line-up of Android phones from Google. While it’s vaguely possible for a phone to be compromised in some way by a string of Flash SMS messages, Google will likely patch the vulnerability on its handsets shortly.