Security Research
Showing results for 
Search instead for 
Do you mean 

How to Identify (and contribute) mobile platform vulnerabilities - Building your own SMS/MMS fuzzer

Brian_Gorenc on ‎08-20-2014 06:17 PM

Every time you hand out your phone number you are giving adversaries access to an ever-increasing attack surface. Text messages and the protocols that support them offer attackers an unbelievable advantage. Mobile phones will typically process the data without user interaction, and (can incorrectly) handle a large number of types of data, including various picture, audio, and video formats. To make matters worse, in many cases you are relying on the carriers to be your front line defense against these attacks. Honestly, it sounds like a recipe for remote exploitation.

Complicating the threat to mobile security is the fact that most mobile phone manufacturers end-of-life products at release or shortly thereafter.  And to further complicate any secure development life-cycle potential, carriers must be involved in the update process. Vulnerability disclosure is still a new thing for this industry.  We hope that with the growing amount of mobile security research being released the community will gain a better understanding of the importance of securing these devices.


This past weekend at DEF CON 22, Matt Molinyawe and I presented “Blowing up the Celly - Building Your Own SMS/MMS Fuzzer” to a full house. Clearly, there is a growing interest in mobile phones as an attack surface.


For those interested in researching security vulnerabilities on mobile platforms, the talk focused on the "do-it-yourself" aspect of building your own SMS/MMS fuzzer - exercising this attack surface virtually, using emulators, and on the physical devices, using OpenBTS and a USRP.  If you are a newcomer to researching mobile platforms, we presented ways to ‘roll your own’ fuzzing framework. We discussed messaging specifications (SMS/MMS/CMAS) and file formats (audio/video/etc.) available for testing. Testing may require less hardware than you imagined. We provided links to emulators and options for scripting and automation.  In the end, our bill of goods was a few thousand bucks.


The interest in identifying vulnerabilities in mobile platforms has never been higher.  Our goal is to ensure you have all the details you need to quickly find vulnerabilities to help ensure a more secure ecosystem.  As an added bonus, you could even make a few dollars in the process.  Just submit your findings to the ZDI, and if accepted, the ZDI will pay you for the findings.


To learn more, consider joining us for our Mobile Pwn2Own competition to be held at the 12th annual PacSec conference, Nov 12-13 in Tokyo.  The rules and details are coming soon!

0 Kudos
About the Author


June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all