3

In the lastest Snowden interview, it was revealed that GCHQ used an exploit sent via SMS to gain access to smartphones, and that this 'exploit' goes unnoticed to the handset user. I was wondering if it might be possible to somehow setup a smartphone as a honeypot to dump raw incomming SMS data before it's processed by the phone, and then set the phone up in such a way that it would attract the attention of GCHQ causing them to send their specially crafted SMS and then reverse engineer the message sent and then craft a patch for this exploit?

forest
  • 64,616
  • 20
  • 206
  • 257

1 Answers1

6

First, SMS exploits are not unheard of. Quite the opposite...Android has recently been beset by the Stagefright exploit and variants that would allow exactly the sort of things described. So, if in fact this was a real program and not simply wild speculation on Snowden's part, it may in fact have been leveraging Stagefright or something similar, rather than a still unknown zero-day.

As to your specific plan, I see one glaring issue. Are you familiar with the "Underpants Gnomes" episode of the TV show Southpark? If not, the episode was about a group of gnomes who stole underpants, and when asked why, it turned out they had a business plan for it. That plan was this:

  1. Steal underpants
  2. ???
  3. Profit.

You see, it's that second step that's the killer, and you have the same problem with your plan.

You have:

  1. Setup a smartphone as a honeypot
  2. Set the phone up in such a way that it would attract the attention of GCHQ causing them to send their specially crafted SMS
  3. Reverse engineer the message sent and then craft a patch

So, how again exactly do you get GCHQ to send you their message? I don't know, and I doubt you'll find anyone who does, and certainly not with any reliability. So, while it's a nice theory, and it certainly builds on the honeypot model which does indeed work, the problem is that the specificity of the attack that you need to occur is so incredibly restrictive that it's virtually guaranteed to never happen. Being struck by lightning begins to look like a refreshingly likely alternative.

So while there's nothing theoretically wrong with the approach, practically, it almost certainly won't work.

Xander
  • 35,525
  • 27
  • 113
  • 141
  • 1
    @psychedelic_alex No, unfortunately, that will certainly not be enough. Once you move from mass metadata collection to individually targeted attacks, the bar goes up significantly. Not only are their more hoops to jump through, and considerably more expense, but if they *are* using zero-days, are pretty valuable by themselves. They're not going to throw them around willy-nilly, they're going to save them to attack the phones of people only when they're quite sure there's valuable intelligence to be had. – Xander Oct 07 '15 at 12:20
  • +1 for mentioning how restrictive and rare this would be. – RoraΖ Oct 07 '15 at 17:39
  • @jess If it was as easy as using certain keywords, I'd own the entire arsenal of FVEY exploits by now. – forest Jan 03 '21 at 04:39