Nexus smartphones can reportedly be forced to reboot through SMS attack

Nexus 5 1024px

The latest Nexus smartphones can be forced to restart, freeze, or lose network connection because of an issue with the way they handle a certain type of SMS message, reports PC World. Security researcher Bogdan Alecu reportedly discovered that the Galaxy Nexus, the Nexus 4, and the Nexus 5 all contain a vulnerability that can allow attackers to interrupt use of the phone. By sending a Nexus phone around 30 flash SMS messages — a message type that's immediately displayed on the screen and requires action — an attacker can cause the phone to malfunction, frequently restarting or losing its data connection when the messages aren't promptly dismissed.

The attack didn't work on 20 other devices

Among the issues, PC World reports, is that Nexus devices don't automatically alert users with an audio tone when a flash SMS message is received, allowing an attacker to send many in succession before a user catches on. Alecu reportedly says that while this attack works on the three latest Nexus smartphones when running any version of Android from Ice Cream Sandwich through KitKat, it hasn't worked on 20 other devices that he's tested. Alecu tells PC World that he reported the flaw to Google, and though he was told a fix would come in Android 4.3, it still hasn't been addressed.

Though the average smartphone user isn't sending out flash SMS messages all day, it is possible to start. Several Android apps claim to allow users to send them, and various phone services also offer it as an option. Nexus owners do have some line of defense though, as Alecu has inspired an Android app that should protect Nexus users by limiting how many flash SMS messages can be received. And fortunately for them, Alecu hasn't found any deeper vulnerabilities stemming from this — such as the ability to execute code — but he thinks it should be investigated further. He tells PC World: "I see this as a serious vulnerability that has to be fixed by Google."

Update: An earlier version of this article stated that Alecu was involved in the development of apps that could both send and block flash SMS messages. That was incorrect. Alecu's involvement was only in creating the idea for the app that could block these attacks. The article has been updated to reflect this.

The Verge
Log In Sign Up

Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.



Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.