All mobile phones may be open to a simple but devastating attack that enables a third-party to eavesdrop on any phone conversation, receive any and all SMS messages, and download the phone's address book.
The attack, outlined by a German security expert, would amount to the largest ever breach of privacy for billions of mobile phone users across the world. But it remains uncertain exactly how easy and how widespread the problem could be thanks to a concerted effort by mobile operators to muddy the issue while they assess its extent.
The official response of the mobile phone operators when asked about the threat is that the attack is phoney. But despite three days of inquiries, none have provided any evidence that there is an adequate defense to it. One operator told us all its security experts were at a meeting in Denmark, although, oddly for mobile company employees, there were also incommunicado.
Wilfried Hafner of SecurStar claims he can reprogram a phone using a "service SMS" or "binary SMS" message, similar to those used by the phone operators to update software on the phone. He demonstrated a Trojan which appears to use this method at the Systems show in Munich last month - a performance which can be seen in a German-language video.
Phone operators use SMS messages to make changes to their customers' phone without user intervention. These changes can vary from small tweaks to an overhaul of the phone's internal systems. Hafner claims however that phones do not check the source of such messages and verify whether they are legitimate, so by sending a bogus message he is able to pose as a mobile operator and re-program people's mobiles to do what he wants.
"I found this on a very old Siemens C45 phone, and then tried it on a Nokia E90 and a Qtek Windows Mobile 2005 phone," said Hafner. "None of them authenticated the sender of the service SMS. We could not believe no one had found this possibility before us."
On all these phones, Hafner was able to launch an example Trojan called "Rexspy", which he says ran undetected. Rexspy copies all SMS messages to the attacker, and allows the attacker to eavesdrop on any phone conversation by instructing the phone to silently conference the attacker into every call.
However, Hafner's demonstration does not constitute proof - it was done with his own phones, which could have been prepared. Known software such as Flexispy does the same job as Rexspy, but has to be installed manually on a phone. Hafner has also refused to provide a demonstration, claiming that he does not want the code put into the wild. Hafner has also put out a press release about his alleged discovery which heavily pushes his company's products.