Advertisment

SMS-based Security Threats

author-image
PCQ Bureau
New Update

SMS or Short Message Services have quickly become an integral part of our

life. SMS are nowadays used by anyone and for almost anything (servers sending

SNMP alerts, banks sending info on account transaction, simple conversation...).

Now that we have started taking steps to make email secure and encrypted, it's

also high time that we realized that Sniffing (capturing) or Spoofing (forging)

SMSs is even simpler than Sniffing and Spoofing emails. In this story we will

try to identify the threats to the SMS world.

Advertisment

Are they real or not and at the same time identify some tools using which one

can safeguard their SMS inbox from such threats.

Direct Hit!

Applies To:

Mobile phone users




Price:
NA




USP:
Learn about SMS based security threats and the

tools available to protect yourself




Primary Link:
NA




Google Keywords:
SMS Spoofing



On PCQ Professional
CD:
NA

How Real is SMS Spoofing



It is very real. All you require is a PDA which runs Palm OS. Yes, we know

Palm has stopped shipping PalmO, so somebody with an old Palm PDA would be able

to do spoofing. All it should have is the capability of spoofing SMS over an IR

link. The next thing that's require is a GSM phone with IR and modem support.

Advertisment

Now all you have to do is download a freely available opensource software

called SMSSpoof from http://freshmeat.net/projects/smsspoof/. Once you have

downloaded it, unzip and install the .prc file into your PDA using HotSync or

whatever way you would like to install.

Start the application after you've installed it. You will be asked to fill

in: the number of Spoofed senders, number of recipients, actual message, and the

number of an SMS Center or SMSC which supports EMI/UCP-compatible. This

capability is nothing but the capability of sending SMS over GSM dialup. Now

here's the good news: none of the SMSC in India today have this vulnerable

capability.

We tried sending Spoofed SMSs from multiple SMSCs of Vodafone, Airtel, and

BPL but none worked. Now the bad news: you can use any SMSC across the globe

which supports EMI/UCP for sending spoofed SMSs.

Advertisment

The method which we just mentioned to send Spoofed SMS looks pretty geeky and

you will require quite a few things to be able to do so. There are many websites

on the Internet which let you send spoofed SMS without the need of any technical

knowhow. We won't of course delve into the details of such sites, because that's

not the intent. What we want to tell you is that sending spoofed SMSs is easier

than spoofing emails, and could become a potential security threat in the

future, so you need to be more careful. In the remaining article, we'll focus on

how to protect yourself against SMS based security threats.

Spoofed SMS can be sent from

a PalmOS based PDA and SMSSpoof software. Plus, all you



require is a phone with IR and GSM modem

Prevention: SMS Encryption



Till date there is no system that can protect you against Spoofed SMS and

tell you whether the SMS you are receiving is from a legitimate sender or not.

So to protect against such threats the only solution is to use SMS encryption.

There are quite a few apps available for quite a few smart phones. A simple

Google search with keywords such as 'SMS + encryption + your-phone-vendor-name'

can give you a list of apps which you can use to encrypt SMS.

Advertisment

But the drawback with such systems is that both ends (the sender and the

receiver of the SMS) should have the same software running to encrypt and

decrypt the SMS, which also means that both should have a similar phone or

phones which support the same application.

So you can't actually send a standard encrypted SMS which can be decrypted on

any or all phone models. Some well-known software for SMS encryption for

different smart phones are as follows:

SMS filter software is

available using which you can ban certain numbers or allow your address book

numbers to send you SMSs. You can also send encrypted SMSs
Advertisment

SMSProtector:





http://www.mobile-mir.com/en/SmsProtector.php

MumSMS:







http://mysymbian.com/7650/applications/applications.php?fldAuto=940&faq=2

Fortress SMS:



http://my-ymbian.com/7650/applications/applications.php? fldAuto=503&faq=2

Advertisment

Prevention: SMSSpam filter



The next most important application that one would like to install first on

his/her mobile is a SMSSpam filter. Well, these SPAMFilters are not so

sophisticated and can only work in a few ways such as, like defining a list of

numbers you want to ban or create a white list of numbers you want to allow. The

latter will allow all numbers in your phone book. The third form of filter is

word or phrase blocking, where you can define a few keywords which if found in

the SMS will be blocked and sent to vault. We are yet to see SMSSpam filters

that can use a global black or white list and content filter. Some applications

that you can try using are:

SmartBlock for SmartPhones:



http://www.efficasoft.com/ smartblock/index.html,

EasyHelper SMSSecurity :



http://www.mobiletopsoft.com/ board/2022/easyhelper-releases-sms-security-utility-for-windows-mobile.html.

SMS natively is a clear text and vulnerable medium of communication and still

we don't have enough good security tools to patch up its vulnerabilities. So it

is not advisable to use SMS for communicating confidential data.

There's an increasing number

of websites out there, such as this one that allows anyone to spoof SMSs

after making an online payment through a credit card
Advertisment