MSL-2008-001 - SonyEricsson WAP Push Denial of Service
SonyEricsson WAP Push Denial of Service
Denial of Service
Successfully tested on:
Other devices based on the same (or earlier) platform are likely to be
More recent devices may be not vulnerable.
A malformed WAP Push packet is able to remotely reboot the handset and,
in some cases, completely hang it.
In case the handset hangs, battery removal is needed in order to restore
By sending multiple malformed packet via SMS, an attacker may be able to
reboot the handset multiple times, effectively performing an extended
denial of service.
The attack can also be performed over an IP bearer using UDP port 2948.
In this case a single malformed broadcast packet can be used to attack
and disable a large number of devices, leading to a much heavier impact.
Solutions & Workaround:
The issue has been reported to SonyEricsson.
Mobile Security Lab is aware that the problem has been identified: some
models, more recent than the ones listed in this advisory, have been
found not to be vulnerable.
Further details are not currently available to Mobile Security Lab.