MMS vulnerability allows Sender to be spoofed

adv04-2009

Michael Mueller a.k.a. c0rnholio has discovered a wide spread vulnerability in mobile phone MMS software, including Windows Mobile versions, where the software will trust the meta data of a MMS message to generate the From Address, instead of the actual number of the sender.

This vulnerability does not affect all networks, only ones where the MMS notification is sent directly from one phone to another.

On these networks this problem can be particularly dangerous however, as a MMS network can claim to be from a trusted sender such as your carrier and ask you to download software which can compromise your phone.

The vulnerability affects Windows Mobile, RIM , Sony Ericsson and likely other platforms also.

Read the full disclosure at SilentServices.de here.

Comments