A potential vulnerability of SMS is that it allows a handset to receive or submit a short message at any time, regardless of whether a voice or data call is in progress. If the handset is unavailable, the message will be stored on the central server. The server will then retry the handset until it can deliver the message. In fact, there are desktop tools that script kiddies use for SMS denial-of-service bombing, such as Fruckie's SMS BoMBaH (see Figure 1). The principle behind this tool, when coupled to the power of a replicating virus, can potentially result in wide-scale denial-of-service attacks.
Figure 1 Fruckie's SMS BoMBaH.
Another example of such an SMS flooding virus occurred in Scandinavia. When a user received the short message, the virus locked out the handset buttons, effectively becoming a denial-of-service attack against the entire system.
Similarly, a Norwegian company found another example of malicious code. In this case, a Norway-based WAP service developer, Web2WAP, was testing its software on Nokia phones. During the testing, they found that a certain SMS was freezing phones that received it. The code knocked out the keypad for up to a minute after the SMS was received. This strategy is similar to format attacks that cause crashes or denial-of-service attacks against Internet servers.