Michael Muller of silentservices.de discovered a bug in certain smartphones that allows sender obfuscation for MMS messages.
According to the security advisory, an attacker can create a MMS message that cloaks the sender number. This could essentially give people who send threats, scams and spams a free pass, as it negates any worries about their numbers being reported/exposed.
The attacker could also theoretically automatically download content onto a device, using a specially crafted MMS containing a URL. The major obstacle to this is that automatic download is entirely dependent on the service provider the device connects to.
According to Muller, "MMS clients which do not allow access to content URLs other than that of the provider's MMS proxy should be safe from the content, but are still vulnerable to the sender obfuscation."
The bug was discovered in June; full disclosure only occurred on September 11, 2009. This bug has been tested on the following devices:
– Blackberry (BB 8800, Firmware: 220.127.116.11) – Windows Mobile (WM5, WM6, WM6.1, WM6.5) – Sony Ericsson W890i, W810i
Further details are available at http://www.silentservices.de/adv04-2009.html.