I despair of the irresponsibility of the mainstream bloggers around the world who have gone into meltdown today over this announcement of an obscure bug in old versions of Symbian OS Messaging. Some comment and a link below. Short version. Move on, nothing to see. And no, you still don't need to pay money to a security firm...
Read on in the full article.
It could cost you your saved SMSs, though.
And if you've hacked your phone, put the modified installserver in your sys folder, and then upgraded your firmware, you won't be able to re-hack your phone after the hard reset.
The first place I saw this was on engadget. As I have a spare N95-8GB that I didnt mind having to hard reset I tried the bug on it and as I posted on engadget........
Tested it on an N95-8GB. Got the out of memory error after the 11th message, sent a test message and it didnt come through, got out of memory again. Switched the phone off and on again and its back to normal, no hard reset required.
So at least on s60 3.1 you get a visual indication that your phone has been attacked (memory message) and a quick reboot fixes the problem.
Thanks, I'll tweak my text slightly 8-)
slitchfield wrote:Thanks, I'll tweak my text slightly 8-)
Dont tweek it steve, I hadnt read the details in the link you provided until now, this is the first I've seen of that artice and it does mention that on s60 3.1 any messages received longer than 160 characters will get a memory error again. Just tried that and it is right, the error does happen again.
Steve, people like you are why Nokia gets away with crap like this.
In the US, and most developing countries, Nokia is not just continuing to sell "old" platforms, they
are still advertising them. Nokia, as always, has no interest in updating its "old" platforms, let alone every single SKU/product code. If we're lucky - very, very lucky - we may see Nokia update phones released this year with FP1. The rest of the world will be SOL.
And as for most people not being affected by this glitch, I'd ask whether you've ever bought from one of those disreputable sellers who advertise via email. No? I didn't think so. And yet, you get spammed.
Finally, there is nothing in the video about the 5th edition, but I don't see it being ruled out either. I wonder in which world 5th edition is an "old" platform.
Instead of using your soapbox to suck up to Nokia, use it to get them to change their behaviour. When Apple, a company famous for screwing over its customer base has a better history of updating their old products than Nokia, a supposedly consumer-centric company, then something is amiss.
Unregistered wrote: And as for most people not being affected by this glitch, I'd ask whether you've ever bought from one of those disreputable sellers who advertise via email. No? I didn't think so. And yet, you get spammed.
Eh? What on earth has that got to do with it? Nothing.
Spamming = totally different.
Getting a spam email affects you, but a very unlikely security flaw wont, if not activated.
Unregistered wrote:Finally, there is nothing in the video about the 5th edition, but I don't see it being ruled out either. I wonder in which world 5th edition is an "old" platform.
Instead of using your soapbox to suck up to Nokia, use it to get them to change their behaviour. When Apple, a company famous for screwing over its customer base has a better history of updating their old products than Nokia, a supposedly consumer-centric company, then something is amiss.
Now your just Nokia bashing, and oh, involving Apple as well. Unsuprisingly, its always an unregistered.
Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it. Your sponsorship by Symbian is giving you an unhealthy bias - imagine if someone does have it in for you, and tries this. Even after a hard reset, they could just do it again and again. It sounds like there's no notification about who sent it, so you wouldn't even be able to attempt to track it down without the networks help!
Anyone who doesn't read these blogs won't even have a clue what's happening.
This is a very very bad issue that needs to be resolved as soon as possible by Nokia. There are so many devices out there that suffer from it, and requiring a hard reset to fix it is terrible and will cause many users frustration.
Not only that, but it's very easy to do and well documented, with no custom software needed. This is even worse than the old "newline in Bluetooth device name" bug that used to mess up S60 devices (I assume that this is no longer the case - I never have bluetooth on, unless I have to).
I haven't heard of such exploits against WM (although I'm sure that there must be some!) - so much for the security of Symbian. How about removing one or more points from all the S60v3 "Email" entries on the smartphone grid for this? 😉
Edit: Don't get the wrong idea about this - I use both WM and Symbian, and while I love the fiddling around that you can do in WM, I think that Symbian provides a better integrated phone, overall, but this really is a potentially bad issue, especially as it sounds like the people who discovered it gave Nokia time to fix it, which they don't appear to have done.
@argh: Rubbish. If this was on WM, it would still be an obscure bug and I'd still be telling people not to worry. The only danger here is enough bloggers hyping and panicking and getting the minutae of the bug publicised unnecessarily.
Repeat: Yes, it's a serious bug. And needs fixing by new firmware on affected devices. But it's not a virus. it's not malware. It's not going to be commonplace. And there's no need for panic....
@argh
Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it.
I've not found the guys at AAS to be like that. They focus quite rightly on Symbian devices and issues.
As for ''Unregistered" I think it's cowardly to criticise Steve and not put your name to what you have to say.
5th edition should be fine. Possibly Tobias did not know about 5th edition when he wrote the text. As the 5800 is only shipping in a few places so far so he would anyway find it hard to borrow one for testing.
Mobile operators have had warning about this, and some have filters in place to stop the messages.
Cheers,
Tony
First of all, Happy New Year! 😊
Now, back to the message...
Agreed with "Unregistered". If Windows Mobile had this exploit, you would have been all over it, and you know it.
When has AAS ever, ever, done a top story detailing problems with Windows Mobile or any other non-Symbian OS? We barely even mention other OSes, except where they're directly compared to Symbian.
AAS isn't a "Symbian is great, everyone else is rubbish" site, read the articles and you'll see plenty of criticism as well as praise. For example, Rafe's preview of the 5800 said the web browser was inferior to the iPhone's, giving details of their comparative performance on a browser testing site.
Steve, who wrote the above news post, also works on a site called "All About iPhone", and he writes for a magazine that covers all smartphone platforms. Just the other day he wrote on AAS that iPhone games are far better than anything on S60, which is hardly something that Nokia or Symbian would want us to say.
I just don't get this tribal X vs Y thing that comes up in practically every comments thread, or the conspiracy theories that AAS is somehow in the pockets of Nokia and/or Symbian.
AAS leans towards Symbian *coverage* because this is a Symbian-themed site.
But coverage isn't praise, it's coverage. Coverage is negative as well as positive because that's what Symbian users want: when something is broken we scream about it, when something works we praise it.
And Symbian coverage is not Nokia coverage, AAS gave lots of attention to Samsung's recent S60 offerings because they too run Symbian. And we give absolutely no coverage to Nokia's S40 phones despite them making up the majority of Nokia's sales and profits, because they don't run Symbian. We don't cover Nokia's internet tablets either for the same reason.
Steve's rants against security fearmongers are more to do with how little evidence the fearmongers produce for a problem, and how unlikely the circumstances are for a security breach to happen. That's not something confined to Symbian, practically every platform has loud sceptics criticising security software manufacturers for fearmongering (for example many Windows security apps describe cookies as "malware" on their routine scans, implying that practically every machine is infected with trojans).
I cannot help noticing the similarity between this issue and the WatcherMainThread problem which affected my E61 about a year ago (search for 'watchermainthread' on AAS or Google, and the first hit should be the relevant thread).
To summarize, my E61 began to have problems with SMS messaging, and repeatedly displayed an error that WatcherMainThread had terminated. I found many references to similar symptoms, but no solution. I eventually determined that the problem began when I received an SMS from a contact with an unusually long name. I fixed the problem by shortening that contact's name...old messages from him which I never saw immediately appeared, the error messages stopped, and the device has worked fine ever since.
What struck me was the description of this new exploit...the email address has to be at least the same length as the length of my problematic contact name. The inability to receive further SMS messages is exactly what I experienced. More than a coincidence, I think...
Has anyone who has replicated this exploit tried it on a device with error messages enabled (such as by SysExplorer)? If so, did you happen to receive the WatcherMainThread termination message? I would try this myself, but I am traveling at the moment and only have a few devices with me. I do not want to risk any data loss at this time. I will try it later when I have access to more devices.
Also, the F-Secure site seems to imply that their app will clean the 'infected' (yeah, I hate that term for this type of thing too) files off of an affected device. Is that truly the case? Does it do so without need for a reformat, and without loss of any other data? If so, that would almost appear to constitute a potentially useful feature of the program. If already installed, is it capable of intercepting such a malformed message before it affects the device? If so, that would seem to be even more useful. It would be even better if it would display the originating number of the malformed message.
Dear Steve,
I think that you are overrreacting.
Aren't there more important things to get so excited about? For example the infamous Symbian OS security hack (promoted with pride by so many websites considering themselves Symbian OS fansites), which I have never seen you complaining about, while IMHO it did more damage to the Symbian ecosystem than anything else, boosting piracy to uncontrollable levels, scaring away serious developers and thus affecting quality and range of available 3rd party software and the way the S60 platform is often being seen, i.e. a "platform for the masses, bigger brother of S40" rather than a serious mobile computing platform.
I expressed my quite sarcastic opinion about this "exploit" on our discussion forums and I think it's the best answer.
Happy New Year!
I have already been hit by this bug and that was 2 months ago. Geez!! I thought it was just a full internal memory. I brought my phone to the sim operator and they didn't tell me the reason why my phone crashed, maybe to avoid mass panic, what they did was reflash my N82 and everything went back to normal. I wonder who sent me those bugs, Samsung freaks maybe because I vehemently condemn that company in my blog hehehe..
Dear My-symbian.com,
The truth however is that Steve was the first mainstream blogger to complain about the OS hack - taking a rather harsh view of it. You might need to dig a bit more deep into the AAS archives !
Indeed. http://www.allaboutsymbian.com/features/item/When_hacking_is_purely_done_in_private_is_it_still_hacking.php From March 2008, condemning over-reaction (again)
Uh, I don't get it.
This is the worst security bug in mobile phones i've ever heard of. Millions of phones are affected and there is nothing you can do other than switching it off.
Sure, you will most likely not get hit by it and even when you will not really lose anything except your time (easily a few hours in my case).
The problem is: You do not need any special hard or software to trigger the bug on someone else phone. So I think we will see a thousands of "killed" phones the next weeks. That is not really much, but Nokia knew about it for 6 months.
Steve should not blame websites making it public but Nokia for really bad support. A firmware update fixing this should be available for months now. It is not some obscure thing which only happens when you use some uncommon feature with a nearly never used option when installed some unknown software like many other problems. It is one of the main features of a mobile phone SMS. You can not disable it. You will get it over SMS or not. All someone else needs is your nr.
Sure, I don't see a possibility to make money from it or get famous so it will most likely not become a mass phenomenon. But expect some kiddies to have a lot of fun by sending such an SMS to all their "friends" in their school class for example.
Nokia should have fixed this by now and it is disappointing they didn't.
After all the publicity I don't think the bug is that obscure. It is a very annoying bug and I could pester anyone I dislike with it. Knowing the technological level of the common man, an undetected case of the sms bug could really damage a consumers conception of Nokia's product quality. Far more than pinkish photo's. As such it should fixed ASAP with a firmware update Nokia would do well to inform their users of it. It should certainly not be dismissed as trivial. Few people know how to hard reset a phone.
And if the bug could be used to upload a virus, with 40% of the consumermarket having a Nokia, imagine what will happen with your phonebook. Ahhh I love doomscenario's....
Hi Steve and all others,
I think IMHO that there might even be more coming after this (although I might be wrong). This is, as already mentioned, a bad glitch in the operating system uncovered by the guys at CCC. I myself am working for a security company and I usually take those vulnerabilities serious since these glitches might also lead to buffer or heap overflows which then again might lead to remote code execution.
Okay this of course is worst case and might not happen BUT on the other hand S60v3 is a platform which is widely used in cellphones not a lot unlike windows on PCs. So just painting the worst case, improbable as it may be, further: what if mobile phones might be used as a vehicle for anonymizing whatever form of criminal actions by hijacking them with remotely executable code? What if using remotely executable code as a man-in-the-middle attack in online banking done on cellphones? You can think of a lot of szenarios.
Again, these scenarios are maybe improbable but still though: a glitch is a glitch and this one in my opinion is a bad one because it can be done remotely. And of course: remote exploits always begin like that: someone finds a glitch and someone else finds a way to possibly exploit this glitch.
So in my opinion we and of course especially Nokia should take this glitch seriously and fix it. Such glitches should not be underestimated since there are some people around which might try to exploit it.
I for myself am thankful that FortiNet introduced a tool to prevent the CurseSMS (I'm not in whatever form related to FortiNet).
Regards
MySymbian:
Those sites ARE Symbian OS fansites because they're providing Symbian OS users with news that will BENEFIT them. What is your link between the OS hack and the supposed boosting of piracy? The main thing that has boosted piracy is the developer certificates from the Chinese websites, not hacking. It's not just the piracy scaring away developers. It's Symbian Signed that is scaring away developers, why do you think the big players like Psiloc are still in the game? Because they can easily get their stuff signed unlike small time developers like Samir - why has none of his stuff been signed? The expensive and annoying Symbian Signing process is what is preventing new blood from developing for S60. Windows mobile is still thriving despite the massive possibility for pirating apps.
Steve:
I don't know why you always play down things like this and then try to insult other websites, is it you Symbian sponsorship? The prototypes that Nokia give you?
How the hell can you tell people not to panic in this situation? Seriously?
The guys that found this exploit told Nokia about it months ago. Some networks have already taken notice and stopped it but Nokia have done nothing to protect people with older phones.
The millions of people that have signed up for My Nokia or other online services, what if an employee of Nokia goes rogue and uses the database of all those numbers to attack all those people with this exploit? Are you really suggesting that people hardreset their phones and then spend hours setting it back up again for something that Nokia had the ability to fix but DID NOT?
This is no small issue here and I really don't understand how you could possibly be defending Nokia in a situation like this.
@pansies: Sigh. I'm *not* defending Nokia. Or Symbian. And yes, they should absolutely have fixed this ages ago. I just despair that these things get blown up out of all proportion. Without the hype, noone would EVER inadvertently run into this bug. As has been said above, we'll probably get a spate of kids annoying classmates with vulnerable phones for a few weeks.... not exactly the end of the world though, is it?
It's also worth noting that none of us knows how many world phone networks have *already* blocked these malformed messages.
Fully agree with Steve. Just one thought though. Think it may be helpful to write an article stating how to identify if your handset has got hit with the bug and then what needs to be done to get it back working ? Can I help ?
Umesh
Hi all,
first of all: why don't we just calm down a bit and think about this a bit more professional? Insults aren't worth a damn and don't let's get religious here! I personally stated my opinion a few posts back up (with the description of the worst case).
On one hand I do understand Steve: we shouldn't get hysterical about this issue. I personally own an E90 because it best suits my needs. I am not crazy for Nokia. And I will switch to another brand as soon as another brand produces something which better suits my needs. Still though I beg to disagree with Steve:
There is a very well known statement in the security community: your opinion about keeping this under the table and hoping that none will run into this is called "security by obscurity" and is proven to never have worked. I appreciate the work of the CCC of bringing this to attention. Now there is a workaround (thanks to FortiNet) and I for myself am using it (I do not like to invest hours of work of reinstalling all my applications). Usually what happens with keeping something under the table is that something bigger might develop under the table and we get hit by surprise.
at pansies:
to my knowledge at least in Germany only the provider D1 filters those SMS out when they are send from a D1 user but they don't filter inbound SMS of such type. Therefore in Germany you only know that no D1 user can hit you but still it can hit also a D1 user.
So please, just a few things:
- Nokia, go fix this issue --- and FAST
- at community: I agree with Steve on one part: don't get hysterical and calm down
Regards,
Grmmpf (see also my posts over at my-symbian and no Steve, I'm NOT a Nokia fan 😉 )
One site labelling it a "worm" was certainly off the mark and seemed to indicate that it would spread like wildfire. That obviously isn't the case but it's still a damning issue.
I also agree that buying security software for phones is still un-needed.
I don't think it's correct to describe the messages as "malformed" though, is it, Steve? Having an email address over 32 characters is valid, last time I looked at the RFC 5322.
I didn't realise that Nokia had known about this issue for 6 months. As they've rolled out firmware updates for most of the recent phones in this time period, I'm surprised they didn't take action on this.
And as far as this site being balanced about what it says about different platforms (while obviously focussing on Symbian), Steve did recently post a point about iPhone games being very good, but a short while earlier there was also a post that Steve made on an iPhone blog which he admitted on here that he wouldn't have posted on here as the audience wouldn't like it.
i.e. there is some bias in the posting and he doesn't mention all the down-sides of the platform.
That's not a problem for me in most cases, and I've loved seeing the recent support for hardware acceleration from the some of the head posters at AAS! (Please listen, Nokia!)
In this case, though, I do think that some of Steves venom should be directed towards Nokia, who should have fixed it on recent phones before it became public, as well as the bloggers that helped spread the details once it was public.
Edit: Also, happy new year to everyone here at AAS 😊
DanielW wrote:Uh, I don't get it.This is the worst security bug in mobile phones i've ever heard of. Millions of phones are affected and there is nothing you can do other than switching it off.
Fixes include: restoring an earlier backup or reformatting the phone's C drive.
DanielW wrote:
... but Nokia knew about it for 6 months.
Tobias said he notified Nokia only 7 weeks earlier.
DanielW wrote:
Steve should not blame websites making it public but Nokia for really bad support. A firmware update fixing this should be available for months now.
During his 10 minute presentation Tobias quoted someone from Nokia; every day Nokia sells more phones than there are people who upgrade their Nokia phone firmware in a year.
Speculation: maybe a good outcome from this will be that more people upgrade their firmware, and that more operators will support distribution of firmware updates for their branded phones.
ttfn
@argh: >>"I don't think it's correct to describe the messages as "malformed" though, is it, Steve? Having an email address over 32 characters is valid,"
Yes, but manually changing the SMS's delivery method AND including an extra long email address.... not exactly everyday text usage, is it?
>>also a post that Steve made on an iPhone blog which he admitted on here that he wouldn't have posted on here as the audience wouldn't like it.
Not true. I said it wouldn't have been appropriate. Writing for different audiences is not the same as pandering to them.
>>Edit: Also, happy new year to everyone here at AAS 😊
And to you!
tonyn wrote:Fixes include: restoring an earlier backup or reformatting the phone's C drive.
That's only a temporary fix though, right? If someone did it on purpose, they could just do it again.
tonyn wrote:Tobias said he notified Nokia only 7 weeks earlier.
That seems far more reasonable for Nokia to not have fixes available in this timeframe, with the amount of testing a new firmware has to go through. Hopefully they are working on it.
tonyn wrote:During his 10 minute presentation Tobias quoted someone from Nokia; every day Nokia sells more phones than there are people who upgrade their Nokia phone firmware in a year.Speculation: maybe a good outcome from this will be that more people upgrade their firmware, and that more operators will support distribution of firmware updates for their branded phones.
Agreed, I considered that many users don't upgrade their firmware. I know that I usually delay in firmware updates a week or two to avoid early-adopter issues and because I don't really enjoy re-installing apps and settings (I'm on an N95, so no state is preserved).
Seeing as this issue effectively requires a hard-reset anyway, I'd definitely accept a fix to it.
slitchfield wrote:@argh: >>"I don't think it's correct to describe the messages as "malformed" though, is it, Steve? Having an email address over 32 characters is valid,"Yes, but manually changing the SMS's delivery method AND including an extra long email address in a specific format.... not exactly everyday text usage, is it?
It's not that long - my full work email address is 30 characters (although I do have a cut-down version too). An example of st*ve.li******[email protected] (I've no idea if this is a real address) is over 32 characters. I think it's quite common. Admittedly, I haven't ever changed the SMS delivery method, but I assume that as it's present, some people probably do this?
Oh, sure. email addresses can be much longer, maybe 5% of email addresses are over 32 chars? But the chances of someone accidentally changing the SMS delivery method are about 0.00001%. Of course, since the disclosure of the bug, there's now an extra possibility of a known enemy trying to mess with your SMS functionality by doing it deliberately.... But how many of us have tech-savvy enemies that can be bothered with this time-wasting?
Just been reading this news (catching up after New Year break etc.).
I suspect the damage here will not be so much to phones (I'm sure some people will be impacted, but it will be a tiny tiny percentage of total phones). More serious is the the impact upon Nokia's reputation (potentially). This is the sort of thing that can cause long lasting damage (same as battery recalls etc.). There are steps that can be taken to mitigate this.
It is worth recognizing that this sort of issue actually more common that people realise (e.g. many phone have insecure Bluetooth stacks), open platforms suffer too (see the rest bug on Android). The Curse of Silence is much easier to set up an use, but is not viral in any sense and this limits its spread very significantly. Potentially a S60 2.0 virus (Cabir variant) that included this as a function payload is possible and could be quite nasty...
I agree with Steve and other posters on here that security software is not worth it in value terms (maybe with the exception of enterprise customers). The chance of getting some nasty (be it virus, worm, DoS etc etc) is very very small and the chances are if you do get something it may not be covered by the security software anyway. Though this is a judgement each user has to make. Do you feel $30 is worth it to cover you against future possible attacks (with the knowledge such attacks are unlikely - never say never).
Clearly this needs fixing, but people need to understand the context. Many people seeing this will associate it with viruses that take out PCs / other systems completely and spread virally. Obviously that is not what we're dealing with here.
With regards to bias etc. We do are utmost to be objective and fair in our coverage, but inevitably our own views and experiences impact the way we see things. That's one of the reasons comments are useful as people can express their opinion.
In this particular instance regular readers will know Steve has a strong opinion on security matters.