InfoSec Philippines

Information Security, Technology News and Opinions

Curse of Silence Update

Posted by Jaime Raphael Licauco, CISSP, GSEC on January 9, 2009

F-Secure apparently has a solution for this, but you would have to pay for it after 15 days. I’ve also confirmed that this attack works on at least one of the major local networks. No word yet if they have changed their settings to what was suggested to stop the attack. Sony Ericsson UiQ devices were found by F-Secure to also be vulnerable to the attack.

Nokia isn’t very worried about it since it is a denial of service attack and doesn’t allow an attacker to leach information from your cellphone. I still think it would be very annoying if I would have to do a factory reset of my phone, losing all my contacts, settings and messages. I also wouldn’t like it if my competitor knows my company uses the vulnerable phones and starts shutting down SMS capabilities until we notice it. That could potentially hit productivity and the bottom line.

I have no details of the local test done except that it exists and it was possible. If one watches the video, the victim wouldn’t even know who sent the message. The phone just stops receiving messages… in other words, Nokia’s advice in the Heise Security article is pretty useless.

Nokia which got the demo around a month before the public release and which recently acquired Symbian, is currently working on a remedy for the vulnerability. I will post it here as soon as I get word of it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: