Windows Phone SMS attack discovered, reboots device and disables messaging hub

By Tom Warren, on 13th Dec 11 1:04 am with 108 Comments

Microsoft’s range of Windows Phone devices suffer from a denial-of-service attack that allows attackers to disable the messaging functionality on a device.

The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts. We have tested the attack on a range of Windows Phone devices, including HTC’s TITAN and Samsung’s Focus Flash. Some devices were running the 7740 version of Windows Phone 7.5, others were on Mango RTM build 7720. The attack is not device specific and appears to be an issue with the way the Windows Phone messaging hub handles messages. The bug is also triggered if a user sends a Facebook chat message or Windows Live Messenger message to a recipient.

The flaw appears to affect other aspects of the Windows Phone operating system too. If a user has pinned a friend as a live tile on their device and the friend posts a particular message on Facebook then the live tile will update and causes the device to lock up. Thankfully there’s a workaround for the live tile issue, at initial boot up you have a small amount of time to get past the lock screen and into the home screen to remove the pinned live tile before it flips over and locks the device.

Both Apple and Google have suffered from SMS bugs with their iOS and Android devices. Security researcher Charlie Miller discovered a flaw in the iOS 3.0 software that allowed attackers complete control over an iPhone at the time. Android-based phones also suffered in the SMS attack, but attackers could only knock a phone offline rather than gain full access. The attack described in this article does not appear to be security related. It appears, from our limited testing, that the bug is related to the way Windows Phone handles messages.

WinRumors reader Khaled Salameh discovered the flaw and reported it to us on Monday. We are in the process of disclosing the bug directly to Microsoft privately in co-operation with Khaled. At this stage there doesn’t appear to be a workaround to fix the messaging hub apart from hard resetting and wiping the device. Please see the video below for a demonstration.

  • http://twitter.com/OldCongress Gamer

    wow

  • http://twitter.com/kid_jenius Daniel Paulino

    so you’re saying, if this “string” of text becomes known to the public, they can easily just send it to any wp7 user and their phones would crash?

    really hope this gets fixed soon

  • http://www.techblitzblog.blogspot.com Daniel Herzig

    This looks bad after Microsoft called out Google on their bout of malware apps… nobody is perfect, I guess

    • http://twitter.com/OldCongress Gamer

      At least this won’t do anything to the device’s security. Android just fucks on that.

    • http://www.searingarrow.com AlienSix

      Microsoft never said they were perfect

    • http://www.techblitzblog.blogspot.com Daniel Herzig

      I know, hence the saying “nobody is perfect”

    • Guest

      But this little stunt arrogant and snarky now it is making them foolish.   

    • User

      Moreover this is way better than a malware. It limits a feature on your device but doesnt steal anything!

    • Joe_HTH

      Do you think Google will offer a free Android phone to any WP7 owner hit by the attack?  

    • http://www.techblitzblog.blogspot.com Daniel Herzig

      Since the bug hasn’t been released yet, I respond with a resounding “aww, hellz no!”

    • http://davepermen.net davepermen

      nope, but they sure send you a free sms..

    • Guest

      Dunno, shill. Maybe we should ask HeatherL?

    • Guest

      Much of the malware is a result of the Google app marketplace policies. MS wasn’t criticizing OS bugs.

    • J A

      This is not “malware”.

    • Reader

      It is malware…

      Its name is Microsoft Windows.

    • Anonymous

      Let’s see. Phone can’t send a text or a phone that sends text to premium causing your wireless bill to skyrocket. I’ll take the bug the temporarily causes you to lose texting functionality.

    • Henrik

      And is it really a coincidence that this happens after Microsoft reached out to the malware victims? The conspiracy theorist thinks this is not a coincidence, someone wanted to backfire the “switch to Windows Phone” plan. Someone who knew how to make this bug/exploit happen :-) 

    • Anonymous

      You think this small SMS attack compares to the large malware shitstorm that consumes Android??….

    • http://twitter.com/LenFirewood Len Firewood

      Since MS is a late guest to the smartphone party it’s a worrying sign that the continual shitstorm that plagues the PC platform may well be on it’s way to their smartphonetablet platform.

    • Elmwoodie

      Small correction to the “new to the smartphone platform”.  You have to count Windows CE/Windows Mobile and PocketPC. 1997-ish.  http://en.wikipedia.org/wiki/File:Windows_CE_Timeline.svg

  • Anonymous

    I’m glad Khaled isn’t revealing more info.

  • Anonymous

    now if only you could turn off annoying people by sending them a bad text.

    • http://reinnovate.asia Kit Yeung

      that would’ve turned WP into a great thanksgiving gift.

  • http://www.mainstreetchatham.com/ JimmyFal

    Here we go… ready aim fire.

    • http://www.facebook.com/profile.php?id=1724462076 Tim Mariner

      I was thinking along these lines.  I have no problem hearing about the problem after it has been solved, especially if there is no workaround and nothing I can do to prevent it.  I’m worried that if you announce it before there is a fix, some motivated malcontents will work tirelessly to try to exploit the flaw.

    • Anonymous

      I think Tom did the right thing here.  He showed the effects of the flaw to get ours and MS’s attention, yet he did not show the message that has to be sent to cause the flaw (at least I couldn’t tell from the video).  Good example of responsible journalism in my book.

    • http://www.winrumors.com Tom W

      Well I didn’t show the message because the phone locks up once it’s sent, you don’t actually ever get to see the message nor do you need to see it for this to work.

    • http://www.gadgeterija.net Denis Jelec

      Numerous mac fan sites are having so much fun now…happy campers. -.-

    • Anonymous

      Actually, many longtime Apple fans have warmer feelings toward Microsoft than you realize, especially as the Xbox has become a dominant force in the gaming industry. I used to be very anti-Microsoft, but I think Windows Phone 7 is a beautiful alternative to the iPhone. I wouldn’t use it myself, but I love that it’s actually a unique and carefully crafted OS.

      In fact, many Apple fanboys are redirecting their hatred toward Google, since they seem both incapable and unwilling to create beautiful or original software these days.

      I strongly hope that Windows Phone 7 becomes a strong contender in the phone marketplace, as it will only benefit Apple to have competition that is not simply ripping off the iPhone OS (and yes, I am aware that many of iOS 5′s new features were in Android first, but before that, they were iOS jailbreak tweaks anyway).

      If webOS can also find some traction as an open source project, I would be very happy to see a world where iOS, WP7, and webOS are the trinity of smartphone platforms.

    • http://www.gadgeterija.net Denis Jelec

      I do realize there are people smarter than that, but it doesn’t generate clicks. For instance, 9to5 mac happily transcribed this story (why exactly in the first place) only to add:

      “The fix? Hard reset of the device.  Ouch.
      In a totally unrelated note, the head of the Windows Phone 7 division was fired today. ”

      That’s what I am talking about. And yes, I was really happy to see even Mac users sent rotten tomatoes at the author of the article, at least those most upvoted ones. :)Other than that, I do hope there are even more platforms around, for even three I consider to be too low of a number. More choice – less bollocks from fanatics. :)

  • http://profiles.google.com/carlosrfonseca Carlos Ribeiro da Fonseca

    Oops.

    Luckily Microsoft has already figured out how to update the phones, so a fix shouldn’t take long. Had this been found before Nodo and the update drama and it would mean serious trouble.

  • Penta2100

    is it a string of characters that does this?

    • http://twitter.com/Paul_IRL1 Paul Hill

      Maybe unrecognised characters? On ubuntu you get a weird icon sometimes instead of a space when you copy and paste some weird text and can sometimes crash things. I doubt this is the issue but it could be something similar thus preventing the messaging app from opening.

    • http://davepermen.net davepermen

      are sms unicode? i guess it’s a letter that is not defined in the font file, resulting in some non-existent memory access. and this results in instantly killing that process.

      that explains why the bug appears not only in sms, but in pinned people, too. it’s not an sms bug, it’s most likely a font rendering bug.

      problem is, if it occurs within the messaging hub, and crashes that hub, the phone shuts down completely. it’s like killing csrss.exe on your win7 client. instant bluescreen.

      so it’s a bug. but it shows, actually, that the selfguarding security system of wp7 is intact and working.

    • Entegy

      SMS can be sent as Unicode, but usually aren’t in North America. The most common cause of an SMS sent as Unicode is an accented character.

  • https://profiles.google.com/christopher.gull/ CG

    This article complements the previous one pretty well too ;)

    • http://www.facebook.com/rizoyte Ris Oyt

      lol i was thinking the same exact thing

    • Spamandsuch

      It might not be a mere coincidence that this so exactly follows the “switch to a free Windows Phone” plan :-) Someone, a n anonymous crafty engineer with the knowledge, knew how to make this bug/exploit happen. I call Google conspiracy! :-)

    • phil jay

      Yeah, good timing. Nonetheless this is not a architectural failure like happening in android all day but a bug that can be fixed in a few minutes(hope so).

    • Anonymous

      Maybe not. If its true that it’s a result of the way the OS handles this, then it could be something that can’t easily be fixed, and might require a fair rewrite of the underlying code.

  • http://circuitsoft.tumblr.com CircuitSoft

    At least MicroSoft is doing something about it, something Apple and Android don’t do.

    • Anonymous

      Apple iPhone does not get viruses.  So there is nothing to do.  Base upon Microcrap’s security record. did you expect anything less?

    • Anonymous

      I can’t speak for Google, but you’re certainly wrong about Apple. They do take their time sometimes, but they do get things fixed. Right now, WP7 is considered to be the least secure of all the phone OS’s. Apparently, MS so far hasn’t considered security on this platform to be important, seeing as how it’s aimed at consumers, a group they don’t understand, or have much respect for.

  • http://twitter.com/Paul_IRL1 Paul Hill

    They need to hurry with a fix for the dissappearing keyboard too.

    • http://pulse.yahoo.com/_ANTAFCHU7SN4NFAGQ2ZLLM66DI KnockOut

      Yeah; very irritating when trying to type anything.

  • Soulja3

    LOL so it took 14 months for the first SMS from 1 WP7 user to another? :P JK

    • http://twitter.com/mcakins McAkins Online

      If that’s your way of trolling you fail miserably! What the heck are you doing in a Microsoft fan site? Go pray in some iTemple somewhere else.

  • Anonymous

    Hard to believe that this has only just been discovered, I’ll wait for some proof so far it’s just a ‘Rumour’

  • http://rendion.myopenid.com/ render

    im glad your discussing with MS privately to spare the17 people who have windows phone an attack

    • http://twitter.com/mcakins McAkins Online

      If that’s your way of trolling you fail miserably! What the heck are you doing in a Microsoft fan site? Go pray in some iTemple somewhere else.

    • Anonymous

       Nah, there are already too many Apple worshipers out there.

    • http://www.facebook.com/profile.php?id=100001395218690 Pantou Ekang

      F. U

    • Anonymous

      My oh my, even the fandroid trolls found their way here.

      Guess it’s all hands on deck when your platform is about to get replaced huh.

    • Anonymous

      Hahaha, you Windows Phone nerds are fiesty aren’t you? A small but vocal group, I respect that. Your delusions though, that I don’t really respect. I’ll give Windows Phone some ground to talk when they actually manage to pass Windows Mobile in market share. Still waiting on that one.

    • http://twitter.com/dyskmaster joe dono

      marketshare == quality of the platform.  Why don’t you use a windows phone for a change?  I used an android phone once, and I had no problems with it, it was a nice phone (sgs2) and had stellar hardware on board, like the screen.  There, an unbiased opinion on another platform.  Why don’t you go to a store and try windows phone out for yourself?  I garantee you will have a posative reaction to it, unless, of course, you are a complete fanboy covering their eyes to the truth.

    • Anonymous

      I have used one before, and I do like them. I just find the attitude of the MS fanboys to be amusing. Saying things like Android is going away when they have half the market.

      I personally have a fair amount of respect for both iOS and Windows Phone, I just find them a little boring for ME. I’d suggest Windows Phone over iOS to people who need a simple phone.

    • Anonymous

      “I’d suggest Windows Phone over iOS to people who need a simple phone.” And that is exactly what will take market share away from Android and iOS. There are more who want a simple phone than those who want a super customizable, slightly unstable and slow but very powerful phone. I have an Android, modded the hell out of it, but at the end of the day I mostly use WP7 now, and am happier than I was ever before. Without modifying it.

      Microsoft needs to get the price down though.

    • Anonymous

      LOL, an Android person, how cute. Now go away.

    • http://twitter.com/LenFirewood Len Firewood

      No – we are LEGION, we never forget, we never forgive – EXPECT US. ;)

    • Anonymous

      LULZ..

      iAgree!

    • Wourelia

      Thats what the Toyota owners said about the Ferrari problems.

    • Thomas Scheibelreiter

      Never got the news, that there were no flaws in Toyota cars, but incapable drivers?
      Though this is off topic.

    • Anonymous

      Nice try troll.  Either you are an Android fan, in which case you shouldn’t even show your face on a security/bug related story.  Or you are an Apple fan, in which case its ironic for you to make fun of smaller market share as Apple has traditionally catered to a fringe niche of the consumer market.  Granted iPhone and iPad have been very popular, but give it time and they will inevitably assume the minority market share.  Heck, iPhone has already been eclipsed by Android.

    • http://twitter.com/RobertCFP Robert Wade

      @render is the reason why cousins should never marry.

  • Anonymous

    Maybe people will start talking to each other again instaead of sending texts.

  • http://twitter.com/squidlr squidlr

    Same old Microsoft – security risks come guaranteed with anything they develop. 

    • Centijon

      This is the first real security bug that has been found with Windows Phone.  Many, many more have been found with iOS and Android.

    • Anonymous

      Yeah, unlike android.

    • http://davepermen.net davepermen

      except it’s not a security risk. jailbreaks are, android rootings are. this does trigger a BUG. but it is not a security risk. it does not grant you further access to the phone in any way.

    • Anonymous

      same old troll

    • Henrik

      And you mean the same principle don’t apply for all the other developers? What are you, 12? Stay in school, moron.

  • 50000

    The text is 0

    • http://twitter.com/OldCongress Gamer

      troll

    • Yahoo

       Wrong! that would be debug off.

  • Anonymous

    “The flaw works simply by sending an SMS to a Windows Phone user.”

    What?? So if u text someone and they have a windows phone, that’s it- their phone is borked?!!

    Surely this must have been known about before. This can’t be the first time a windows phone user has ever received an SMS.

    • Guest

      An SMS with a specific content of course…

    • http://www.kinectronic.com Kinectronic

      Seriously? Did you like…NOT read the article?

    • Anonymous

      Sure I read the article. I quoted it too. Here it is again:
      “The flaw works simply by sending an SMS to a Windows Phone user. Windows Phone 7.5 devices will reboot and the messaging hub will not open despite repeat attempts”

    • Anonymous

      It’s fixed if you reset the phone.

  • phil jay

    I don’t understand. How can such a message crash your phone? what kind of message should this be? Do they blindly execute whatever code lies behind?!

    • Vitaly

      Smartphones usualy supports some commands received in text. For example, in case you lost you phone you might want to wipe it remotely even when your phone is not connected to the Internet. So such command could be sent by SMS. But I don’t know is this the case but it could.

    • phil jay

      But.. is sms as a technology secure enough to even allow such commands? I really want to know the real cause for this total crash…

    • Anonymous

      it pretty much depends on how the software(os or app) use the content of the sms, if the software was designed in certain way, they can also crash on certain picture the camera took, or some word you said, so theoretically it is nothing to do with security of SMS.

    • phil jay

      @bkydcmpr:disqus Well if sms allows to remotely uninstall an app for example, I’d say it’s an problem with sms security. Though, this seems more like an ugly little format related bug.

  • Msalameh

    Khaled, I admire your prompt action, God bless you and really you deserves Wp7 phone for this. 

  • Anonymous

    M$ Failphone……

    • GP007

      You must really have a skewed understanding of what fail or failphone is then, going by your little avatar i’m going to guess you’re blind to all the google and android bugs/exploits and other such nice fail moments.

    • Anonymous

      U MAD BRO?

      Just because WP7 is a piece of sheet OS and you chose to buy one does not make us who speaketh the truth your attack targets…

      Sell that WP7 on Ebay while you can get a few dollars for it!  :D

    • Thomas Bundgaard

      Bad troll is bad :(

    • Anonymous

      Geez Tom, your article must be on Google news because its attracting a lot of trolls today.  Hey calm down buddy and enjoy your phone while we enjoy ours.  Also learn how to spell and not look like an 8 year old idiot.

    • Anonymous

      lol, the guy with a Google+ logo calling something fail.

      guess no one is around on that site so he has to come here for some human contact

  • Tomsode

    Most likely its an sms that contains a character that isnt displaying properly. Sure it sucks but at least its better than the old android bug that ran the sms as it was a script and as root just as icing on the cake….

  • Anonymous

    Nice scoop Tom. Loving the site.  :D

  • Graham Warrender

    Wha’s the message that is sent that causes it to crash?…

  • Mlm68

    0

  • GP007

    MS did the whole “switch to WP” bit with blackberry as well, it’s not like it’s really specific to security issues, it just happened that android malware has been it’s top problem while with RIM it was the service going down and MS gave out free WP devices then as well.  

    Besides these aren’t on the same level so MS should keep going with it’s Android malware PR move IMO.

  • Elmwoodie

    Maybe not malware, but definitely a vulnerability.  A vulnerability that may enable malware.  Or at least be a target.  I am hopeful that @Microsoft has a timely response and public disclosure during their investigation to support their customers! (and us fanboyz!)  I picked this platform because of Microsoft’s ability and track record responding to incidents such as this.  Likely outcome scenarios are: discovered as incorrect, blocking enabled (via carriers or user workaround), or quick patch.  How quickly Microsoft responds will be of great importance to the evaluation of the security posture of the platform.  If I wanted a mysterious unknown fix in a month or two, I would use an iPhone.  I want a Security KB published giving me the best available info to protect myself, and I want it now.

  • http://pulse.yahoo.com/_VBJ4XGUEOMGGDFA6KXLV26OLUU Roberto Cruz

    That’s not a problem, Microsoft will fix this in 6 months plus 2 more months for their staged deployment to all the phones because to fix this they need the carriers approval an of course the Focus 1.4 will need more testing to get it.

  • Anonymous

    Unlike how various trolls here have spun the story, this is not a security vulnerability but a demonstration of the stability and security of the Windows Phone OS. 14 months since RTM and only this bug that demonstrates the OS is able to stop running (instead of running whatever bad code in memory as an result of the attack) when encountered with unhandled exceptions (displaying the malformed message with the notification bar or Live Tiles) and able to stop an crashed application (the Messaging Hub) from bringing down the whole system. No sandbox and other security measure has been broken that provides the attacker with filesystem or other crucial process access, unlike the over 9000 vulnerabilities that power all the Android malware and iOS jailbreaking tools today. With this issue publicized, we can all trust Microsoft on delivering a timely update to fix this.

    • Anonymous

      If it was intentionally designed into the OS to prevent hacking damage as you say, then why would you turn around and say that there will be a timely “fix” for it? That doesn’t wash. If it is a feature to enhance security, there would be no talk of or need of “fixes.”

    • Anonymous

      The problem is that the user can no longer access the Messaging hub after receiving such malformed message. The fix is to correct the message handling code so that it does not crash when the malformed message is handled. It is a usability bug, not a security bug.

    • Elmwoodie

      Anything that affects confidentiality, integrity or availibility qualifies as security.  This affects availability.  And quite likely the vulnerability might just need to do a little different overflow and a little DEP dancing to turn into outright compromise (which is probably very difficult or impossible). 
      There is no doubt this is a SECURITY VULNERABILITY.
      And not a horrible one (yet).  C’mon Microsoft hurry up and give us a Security KB and then a patch!

  • Anonymous

    (deleted double post)

  • Apple or windows or android

    guys, does anyone know how magnets work?

  • http://twitter.com/osmox osmox

    Here another bug alike on WP7 (7720) :- Ensure that your PIN is required. - Turn On your phone and don’t enter PIN code (Press back button).- Open Phone Hub, go to Call Settings :- Normally, it prompt you PIN code…..- If you click cancel button on the pad you get access to settings anyway !

  • RIMbo

    I’ll stick with my Blackberry for now.

  • http://twitter.com/LenFirewood Len Firewood

    My principle objection to MS and Apple phones is that they are both locked into the proprietary platform mentality. Google’s android might not be whiter than white open source platform but it’as the best offering we have on the smartphone platform currently.

  • Cristian de Oliveira Rodrigues

    This isn’t malware. Its a trollware