The latest Nexus smartphones can be forced to restart, freeze, or lose network connection because of an issue with the way they handle a certain type of SMS message, reports PC World. Security researcher Bogdan Alecu reportedly discovered that the Galaxy Nexus, the Nexus 4, and the Nexus 5 all contain a vulnerability that can allow attackers to interrupt use of the phone. By sending a Nexus phone around 30 flash SMS messages — a message type that's immediately displayed on the screen and requires action — an attacker can cause the phone to malfunction, frequently restarting or losing its data connection when the messages aren't promptly dismissed.
The attack didn't work on 20 other devices
Among the issues, PC World reports, is that Nexus devices don't automatically alert users with an audio tone when a flash SMS message is received, allowing an attacker to send many in succession before a user catches on. Alecu reportedly says that while this attack works on the three latest Nexus smartphones when running any version of Android from Ice Cream Sandwich through KitKat, it hasn't worked on 20 other devices that he's tested. Alecu tells PC World that he reported the flaw to Google, and though he was told a fix would come in Android 4.3, it still hasn't been addressed.
Though the average smartphone user isn't sending out flash SMS messages all day, it is possible to start. Several Android apps claim to allow users to send them, and various phone services also offer it as an option. Nexus owners do have some line of defense though, as Alecu has inspired an Android app that should protect Nexus users by limiting how many flash SMS messages can be received. And fortunately for them, Alecu hasn't found any deeper vulnerabilities stemming from this — such as the ability to execute code — but he thinks it should be investigated further. He tells PC World: "I see this as a serious vulnerability that has to be fixed by Google."
Update: An earlier version of this article stated that Alecu was involved in the development of apps that could both send and block flash SMS messages. That was incorrect. Alecu's involvement was only in creating the idea for the app that could block these attacks. The article has been updated to reflect this.