SMS or Short Message Services have quickly become an integral part of our life. SMS are nowadays used by anyone and for almost anything (servers sending SNMP alerts, banks sending info on account transaction, simple conversation...). Now that we have started taking steps to make email secure and encrypted, it's also high time that we realized that Sniffing (capturing) or Spoofing (forging) SMSs is even simpler than Sniffing and Spoofing emails. In this story we will try to identify the threats to the SMS world.
Are they real or not and at the same time identify some tools using which one can safeguard their SMS inbox from such threats.
How Real is SMS Spoofing
It is very real. All you require is a PDA which runs Palm OS. Yes, we know Palm has stopped shipping PalmO, so somebody with an old Palm PDA would be able to do spoofing. All it should have is the capability of spoofing SMS over an IR link. The next thing that's require is a GSM phone with IR and modem support.
Now all you have to do is download a freely available opensource software called SMSSpoof from http://freshmeat.net/projects/smsspoof/. Once you have downloaded it, unzip and install the .prc file into your PDA using HotSync or whatever way you would like to install.
Start the application after you've installed it. You will be asked to fill in: the number of Spoofed senders, number of recipients, actual message, and the number of an SMS Center or SMSC which supports EMI/UCP-compatible. This capability is nothing but the capability of sending SMS over GSM dialup. Now here's the good news: none of the SMSC in India today have this vulnerable capability.
We tried sending Spoofed SMSs from multiple SMSCs of Vodafone, Airtel, and BPL but none worked. Now the bad news: you can use any SMSC across the globe which supports EMI/UCP for sending spoofed SMSs.
The method which we just mentioned to send Spoofed SMS looks pretty geeky and you will require quite a few things to be able to do so. There are many websites on the Internet which let you send spoofed SMS without the need of any technical knowhow. We won't of course delve into the details of such sites, because that's not the intent. What we want to tell you is that sending spoofed SMSs is easier than spoofing emails, and could become a potential security threat in the future, so you need to be more careful. In the remaining article, we'll focus on how to protect yourself against SMS based security threats.
|Spoofed SMS can be sent from
a PalmOS based PDA and SMSSpoof software. Plus, all you
require is a phone with IR and GSM modem
Prevention: SMS Encryption
Till date there is no system that can protect you against Spoofed SMS and tell you whether the SMS you are receiving is from a legitimate sender or not. So to protect against such threats the only solution is to use SMS encryption. There are quite a few apps available for quite a few smart phones. A simple Google search with keywords such as 'SMS + encryption + your-phone-vendor-name' can give you a list of apps which you can use to encrypt SMS.
But the drawback with such systems is that both ends (the sender and the receiver of the SMS) should have the same software running to encrypt and decrypt the SMS, which also means that both should have a similar phone or phones which support the same application.
So you can't actually send a standard encrypted SMS which can be decrypted on any or all phone models. Some well-known software for SMS encryption for different smart phones are as follows:
|SMS filter software is available using which you can ban certain numbers or allow your address book numbers to send you SMSs. You can also send encrypted SMSs|
Prevention: SMSSpam filter
The next most important application that one would like to install first on his/her mobile is a SMSSpam filter. Well, these SPAMFilters are not so sophisticated and can only work in a few ways such as, like defining a list of numbers you want to ban or create a white list of numbers you want to allow. The latter will allow all numbers in your phone book. The third form of filter is word or phrase blocking, where you can define a few keywords which if found in the SMS will be blocked and sent to vault. We are yet to see SMSSpam filters that can use a global black or white list and content filter. Some applications that you can try using are:
SmartBlock for SmartPhones:
EasyHelper SMSSecurity :
SMS natively is a clear text and vulnerable medium of communication and still we don't have enough good security tools to patch up its vulnerabilities. So it is not advisable to use SMS for communicating confidential data.
|There's an increasing number of websites out there, such as this one that allows anyone to spoof SMSs after making an online payment through a credit card|