SMS Security Flaw Haunts Nexus Devices

If you’re using a Nexus device, you may want to check on it at least once an hour. It has been learned that the device is susceptible to a SMS security flaw that can render it useless or take away its Internet connectivity. Irrespective of whether you’re using a Nexus Galaxy, Nexus 4, or even Nexus 5, you’re very much a sitting duck as long as your device is running any of the Android 4.x firmware versions, yes even KitKat.

A frustratingly casual approach towards security

As it turns out, the SMS security flaw has been around for quite some time now. Bogdan Alecu, a system administrator at the Dutch IT services company Levi9, had discovered the security vulnerability over a year ago and had brought it to Google’s attention several times, but to no avail. The company’s lack of urgency compelled him to eventually disclose the problem publically, bringing it to the attention of security experts as well as current and potential Android, particularly Nexus, user out there. Google did eventually acknowledge and appreciate Alecu’s for bringing the issue to light and stated that it is investing the matter, but unfortunately, that is all it seems to be doing all this time. Someone from the Android Security Team had claimed that the issue would be resolved with the release of Android 4.3, but even as we move towards Android 4.5 or maybe 5.0, the problem still persists.

A silent assailant

The SMS security flaw plaguing the Nexus devices is exploited by none other than the Class 0 SMS, commonly known as Flash SMS message, which have an ability to display on top of all active windows. When a Flash SMS message is received, it causes the display to become dim until stored or dismissed. However, if another Flash arrives before the previous one is taken care of, the new message stacks on top, thus dimming the display even further. This is precisely what the SMS security flaw stems from. If Flash SMS are sent to the Nexus device in a bulk, for instance 30, they don’t just dim the display to an extent where it’s no longer visible, but eventually causes the device to behave abnormally.

What makes the Flash SMS messages barrage even worse is that there is no audio notification upon their arrival.

The possible effects of SMS security flaw

There are a number of things that can happen to your Nexus device when it gets targeted by a barrage of Class 0 SMS.

In most cases, the device may reboot. This can become an even bigger concern if the PIN is required to unlock the SIM before reconnecting to the network. Since there is no audio notification, you may remain oblivious to the PIN request and the device may consequently lie dormant for hours.

In some instances, the phone doesn’t restart, but instead temporary loses connection to the mobile network. Even though it reconnects automatically after a while, Internet connectivity remains suspended.

In some rare instances, the phone neither restarts nor loses connection to the mobile network upon receiving Flash SMS messages in bulk.  Instead, only the messaging app crashes, but that too is automatically restored by the system.

Susceptible but not helpless

While you are waiting for Google to release a fix for the gaping security flaw in its messaging app, you can defend yourself against the threat on your own by downloading the Class0Firewall app from the Play Store and installing it on your Nexus device. It would keep you protected by limiting the amount of Flash SMS messages that your device can receive.

While a temporary solution to the problem is available, Google needs to stop taking the loyalty of its users for granted and taking the issues and threats faced by them more seriously. If it continues its casual approach towards user security and experience, it may not be long before even its loyalists get fed up and start looking in other directions.

Be first to comment