By Thomas Claburn
July 29, 2009 07:08 PM
In a presentation at the Black Hat security conference in Las Vegas on
Thursday, security researchers Charlie Miller and Collin Mulliner are
scheduled to discuss SMS vulnerabilities that affect various mobile
platforms, including Android, iPhone, and Windows Mobile.
Using the Sully fuzzing framework, the researchers have developed a way
to identify flaws in SMS systems in mobile devices. Fuzzing is a form of
automated software testing that involves entering random or unexpected
data. Crashes or unexpected behavior arising from such input can then be
analyzed as a potential vulnerability.
"Until now most of the SMS related security issues have been found by
accident," state Miller and Mulliner in a paper that describes their
approach. This, they explain, is because sending SMS messages costs
money and because lack of access to source code for SMS implementations
has meant hunting for bugs by trial and error.
The two researchers created a layer, called the injector, just above the
bottom of the telephony stack that performs a man-in-the-middle attack
by intercepting communication between a mobile device's modem and
Attend Black Hat USA, July 25-30 in Las Vegas,
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com