by January 3, 2008 0 comments



SMS or Short Message Services have quickly become an integral part of our
life. SMS are nowadays used by anyone and for almost anything (servers sending
SNMP alerts, banks sending info on account transaction, simple conversation…).
Now that we have started taking steps to make email secure and encrypted, it’s
also high time that we realized that Sniffing (capturing) or Spoofing (forging)
SMSs is even simpler than Sniffing and Spoofing emails. In this story we will
try to identify the threats to the SMS world.

Are they real or not and at the same time identify some tools using which one
can safeguard their SMS inbox from such threats.

Direct Hit!

Applies To:
Mobile phone users

Price:
NA

USP:
Learn about SMS based security threats and the
tools available to protect yourself

Primary Link:
NA

Google Keywords:
SMS Spoofing
On PCQ Professional
CD:
NA

How Real is SMS Spoofing
It is very real. All you require is a PDA which runs Palm OS. Yes, we know
Palm has stopped shipping PalmO, so somebody with an old Palm PDA would be able
to do spoofing. All it should have is the capability of spoofing SMS over an IR
link. The next thing that’s require is a GSM phone with IR and modem support.

Now all you have to do is download a freely available opensource software
called SMSSpoof from http://freshmeat.net/projects/smsspoof/. Once you have
downloaded it, unzip and install the .prc file into your PDA using HotSync or
whatever way you would like to install.

Start the application after you’ve installed it. You will be asked to fill
in: the number of Spoofed senders, number of recipients, actual message, and the
number of an SMS Center or SMSC which supports EMI/UCP-compatible. This
capability is nothing but the capability of sending SMS over GSM dialup. Now
here’s the good news: none of the SMSC in India today have this vulnerable
capability.

We tried sending Spoofed SMSs from multiple SMSCs of Vodafone, Airtel, and
BPL but none worked. Now the bad news: you can use any SMSC across the globe
which supports EMI/UCP for sending spoofed SMSs.

The method which we just mentioned to send Spoofed SMS looks pretty geeky and
you will require quite a few things to be able to do so. There are many websites
on the Internet which let you send spoofed SMS without the need of any technical
knowhow. We won’t of course delve into the details of such sites, because that’s
not the intent. What we want to tell you is that sending spoofed SMSs is easier
than spoofing emails, and could become a potential security threat in the
future, so you need to be more careful. In the remaining article, we’ll focus on
how to protect yourself against SMS based security threats.

Spoofed SMS can be sent from
a PalmOS based PDA and SMSSpoof software. Plus, all you
require is a phone with IR and GSM modem

Prevention: SMS Encryption
Till date there is no system that can protect you against Spoofed SMS and
tell you whether the SMS you are receiving is from a legitimate sender or not.
So to protect against such threats the only solution is to use SMS encryption.
There are quite a few apps available for quite a few smart phones. A simple
Google search with keywords such as ‘SMS + encryption + your-phone-vendor-name’
can give you a list of apps which you can use to encrypt SMS.

But the drawback with such systems is that both ends (the sender and the
receiver of the SMS) should have the same software running to encrypt and
decrypt the SMS, which also means that both should have a similar phone or
phones which support the same application.

So you can’t actually send a standard encrypted SMS which can be decrypted on
any or all phone models. Some well-known software for SMS encryption for
different smart phones are as follows:

SMS filter software is
available using which you can ban certain numbers or allow your address book
numbers to send you SMSs. You can also send encrypted SMSs

SMSProtector:

http://www.mobile-mir.com/en/SmsProtector.php

MumSMS:


http://mysymbian.com/7650/applications/applications.php?fldAuto=940&faq=2

Fortress SMS:
http://my-ymbian.com/7650/applications/applications.php? fldAuto=503&faq=2

Prevention: SMSSpam filter
The next most important application that one would like to install first on
his/her mobile is a SMSSpam filter. Well, these SPAMFilters are not so
sophisticated and can only work in a few ways such as, like defining a list of
numbers you want to ban or create a white list of numbers you want to allow. The
latter will allow all numbers in your phone book. The third form of filter is
word or phrase blocking, where you can define a few keywords which if found in
the SMS will be blocked and sent to vault. We are yet to see SMSSpam filters
that can use a global black or white list and content filter. Some applications
that you can try using are:

SmartBlock for SmartPhones:
http://www.efficasoft.com/ smartblock/index.html,

EasyHelper SMSSecurity :
http://www.mobiletopsoft.com/ board/2022/easyhelper-releases-sms-security-utility-for-windows-mobile.html.

SMS natively is a clear text and vulnerable medium of communication and still
we don’t have enough good security tools to patch up its vulnerabilities. So it
is not advisable to use SMS for communicating confidential data.

There’s an increasing number
of websites out there, such as this one that allows anyone to spoof SMSs
after making an online payment through a credit card

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<