Windows Phone SMS Attack Reportedly Reboots Device and Locks Down Messaging Hub
A Windows Phone SMS flaw was discovered, which will supposedly reboot the Windows Phone device and prevents access to the Messaging hub when a malicious SMS is received.
Khaled Salameh, who discovered the exploit, notified Winrumors with details on how the flaw can be reproduced on Windows Phone devices. The bug can also be triggered through a Facebook chat or Windows Live Messenger message. In particular, if a contact is pinned as a live tile, and that contact sends the message, the device will reboot once the live tile is updated with the message. This is still avoidable, but only through a small window when one unlocks the device and deletes the pinned live tile before the message comes through.
A few tests conducted by Winrumors with devices such as the HTC Titan and Samsung Focus Flash, with different builds of Windows Phone 7.5 (build 7740 and RTM build 7720) managed to replicate the reboot and lock down of the Messaging hub. A video demonstration was done by Winrumors showing the flaw in action.
Salameh has also tested the attack beyond Windows Phone, with reports of the crash also affecting Microsoft Visual Studio 2010, Expressions Blend MS Help Viewer and others that weren't specified. A developer by the name of Mohammed Najeeb uncovered more details of the flaw, replying to Salameh that it seems to be XAML-based.
Such SMS attacks are not the first of its kind, with iOS and Android devices taking a hit before a patch was made available. In 2009, security researchers at the Black Hat security conference showed how an SMS-related security flaw in the iPhone gave control of the device to hackers. Google Android was also found to have an SMS flaw which prevented devices from performing any incoming or outgoing calls and text messages.
Winrumors is currently in contact with Microsoft, providing details of the bug with the help of Salameh. We've also approached Microsoft for a statement, and will be updating with more information with regards to a potential patch that will fix this SMS flaw.
Update: We've just received word from Microsoft that the company is aware of the issue and its engineering teams are examining it now. Once they have more details, Microsoft will take appropriate action to help ensure customers are protected. This will most likely come in the form of an update that will close off this SMS flaw.