Multiple Smartphones MMS Notification Sender Obfuscation

Reference: www.silentservices.de/adv04-2009

[Securitry Advisory] Multiple Smartphones MMS Notification Sender Obfuscation

Discovered by: Michael Mueller a.k.a. c0rnholio

Contact: c0rnholio on domain netcologne.de

Advisory Homepage: http://www.silentservices.de/adv04-2009.html

Vendor Status: not contacted

Fixes / Workarounds: none known

Discovery Date: June, 2008

Public Disclosure: 11.09.2009

Description:

A MMS Notification is part of the MMS communication flow. Usually an originator sends and

mms via a service provider (SP). After uploading the message to the SP, the recipient gets a

MMS notification from the SP with information like originator, subject and URL of the content.

In some mobile carrier networks it is allowed to send MMS notifications directly from one mobile

unit to another.

Some Smartphones fail to properly display the originator of this kind of message which leads

to a sender obfuscation.

Impact:

This attack can be used in combination with social engineering to mislead the recipient to

access the resource specified in the content URL of the MMS notification message. If the

receiving device MMS client is configured improperly this could lead to automatically download

whatever content is specified in the content URL. MMS clients which do not allow access to

content URLs other that the providers MMS proxy should be safe from the content, but are still

vulnerable to the sender obfuscation.

In addition this attack can be used to send spam and hate SMS.

More..........