Nexus smartphones vulnerable to flash SMS attacks

Nexus smartphones including the latest Nexus 5 running Android 4.4 KitKat are vulnerable to a denial of service attack that's set off via SMS-messaging.

Google's Nexus smartphones – including the Nexus 4 and Nexus 5 – are vulnerable to attacks that target the device with text messages, causing it to restart or lose the network connection. A Dutch security researcher has discovered the vulnerability, which is caused by a crafted “Class 0” text message or flash message.

Bogdan Alecu, an IT systems administrator at Dutch IT company Levi9, spotted the vulnerability and presentedc it at the DefCamp international hacking and information security conference in Bucharest, Romania.

A Class 0 or flash SMS message is immediately displayed on the recipient's screen but is not saved on the phone. The message appears above all active windows along with a semi-transparent overlay. This type of message is used for temporary or transitory messages.

The researcher points out Nexus 4 or Nexus 5 does not have audio notifications for flash messages, thus allowing attacker to pile up messages after messages on the device, and ultimately disrupting the phone's regular activities.

In the presentation to DefCamp 2013, Alecu revealed several impacts of an attack in which more than 30 messages are sent to a target device, leading to crashing of messaging application or phone reboots or Internet access collapses.

However, Alecu also disclosed about 20 different devices from various vendors have been tested, and shown immunity to this vulnerability. He claimed he had approached Google several times after discovering the bug, but mostly received automated responses.