Microsoft Windows Mobile 6 is the latest version of Microsoft's mobile operating system. Designed for small embedded devices, Windows Mobile is the CE feature set designed for PDA's and mobile telephones. Microsoft Windows Mobile comes in three distinct flavors, Pocket PC, Pocket PC Phone Edition and SmartPhone.
A vulnerability has been discovered in the SMS handler on Windows Mobile 2005 Pocket PC Phone edition which means the sender of the original SMS message can be masked from the recipient when sent a specifically crafted WAP PUSH message.
Symantec discovered that a slightly malformed WAP PUSH message could be used to hide the originating sender of the message on Windows Mobile 2005. The original PDU can be seen in [1]. The following PDU will cause the Pocket PC Phone edition SMS handler to incorrectly decode the PDU. The result of which is both the sending telephone number and the sending time are incorrect.
The decode of the PDU can be seen in [2]. This decode was achieved with PDUSpy from http://www.nobbi.com/pduspy.htm. When this message is received by a SmartPhone it will be silently discarded, which can also be useful to an attacker who wishes to ascertain if a cellphone is on without alerting the user through SMS delivery receipts.
[2] Decode of PDU from PDUSpy
PDU LENGTH IS 118 BYTES
ADDRESS OF DELIVERING SMSC
NUMBER IS : +447785016005
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
MESSAGE HEADER FLAGS
MESSAGE TYPE : SMS SUBMIT
REJECT DUPLICATES : NO
VALIDITY PERIOD : RELATIVE
REPLY PATH : NO
USER DATA HEADER : PRESENT
REQ. STATUS REPORT : NO
MSG REFERENCE NR. : 34 (0x22)
DESTINATION ADDRESS
NUMBER IS : +447716299660
TYPE OF NR. : International
NPI : ISDN/Telephone (E.164/163)
DATA CODING SCHEME (0x04)
AUTO-DELETION : OFF
COMPRESSION : OFF
MESSAGE CLASS : NONE
ALPHABET USED : 8bit data
VALIDITY OF MESSAGE : 24.0 hrs
USER DATA PART OF SM
USER DATA LENGTH : 96 octets
UDH LENGTH : 6 octets
UDH : 05 04 0B 84 23 F0
UDH ELEMENTS : 05 - Appl. port addressing 16bit
4 (0x04) Bytes Information Element
09200 : SOURCE port is: allocated by IANA
02948 : DESTINATION port is: allocated by IANA
--- DATA ----------------------
05 04 0B 84 23 F0
USER DATA (TEXT) : % jE
symantec Symantec
bulkSMS (Unregistered Ver) -
LogixMobile.com
Vendor Response:
A vulnerability has been discovered in the SMS handler. If a malicious message with no sender was received by a user on their device, the user may be enticed in taking action or clicking the URI that could lead to a second order attack.
Mitigating Factors: By default Windows mobile device policy require SI messages to be authenticated. The Mobile Operators have the ability to change the policy to not requiring authentication in order for 3rd party ring tones and other SI messages.
Microsoft will look into a different architecture in future versions.
Recommendation:
Contact your mobile operator to ensure the proper policy is set on your device.
