erAce Security Solutions has launched a mobile firewall for preventing SMS attacks on smartphones that could result in an attacker hijacking mobile data connections. The product is called Settings Firewall and it is targeted Symbian and Windows Mobile operating systems (more info, PDF).
There has been a lot of discussion on possible SMS vulnerabilities lately. For example, F-Secure has reported the first ever SMS worm, and just end of 2008 there were headlines about the Curse of Silence denial of service attack. It is often deemed as just a matter of time before the first more serious threats appear.
The attack erAce is set to prevent is related to SMS configuration messages that can be sent to mobile phones to set up the devices with the proper network settings. It essentially means sending data to the devices via text messages that automatically configure them. In the end, anyone can send these settings messages from anywhere in the world. By faking these kinds of text messages the attacker could create her own settings and for example re-route data sent from the phone.
According to research, this vulnerability is present on any handset that supports the settings protocol. The threat was publicly announced at the BlackHat Europe security conference in mid-April 2009. The risk is high, as typically the results of the configuration changes are not shown or summarized to the user in any way, so there is little chance to notice potential problems. The malicious messages are able to bypass or silently remove the phone’s firewall software.
erAce claims that no other existing mobile anti-virus or firewall product in the market than the erAce Settings Firewall with their patent pending technology is capable of preventing the SMS vulnerability. Others may be able to block normal short messages from unwanted numbers, but none of them has addressed the malicious settings messages problem. The firm states it has researched the vulnerability already for couple of years now while developing the product.
There are naturally some other solutions suggested as well, though not all proven in practice. First, some Symbian users can choose not to accept the incoming messages – albeit probably rare if the message comes from a seemingly valid source. Windows Mobile phones do not provide any means to block to the attack, on the other hand. But also mobile operators might prevent the attack by taking additional security measures and monitoring the messaging traffic.
I am not nearly technical enough to speculate how easy it might be for a big incumbent to implement their own solution as part of their existing mobile firewalls. That would be the biggest threat to erAce. In case the firm has solid IPR protection, and there is no quick alternative way to implement the same solution, erAce might be facing acquisition proposals sometime soon.
erAce states its first pilot customer is the operator Tele2. It makes sense to adapt a similar channel sales strategy as F-Secure, and target the network operators as the primary channel. Making direct service deals with operators and getting the product preloaded into operator handsets would provide fast scaling.