Skip to main content

SMS and Social Networks

For several months, ive been looking for a secure way of updating my status messages through SMS. Though there has been several options, ive considered their approach to be significantly flawed. As my friend started posting his updates through sms, I checked the website on how they go about updating your status. I find it very alarming and perhaps, its a good time to share my thoughts as an IT professional.

I. Existing Services and Their Flaws

Ok, first in my list is the one recently subscribed to by my friend. @tweetitow (http://tweetitow.com) Ive looked at how I could subscribe and guess what welcomed me:

I already have a twitter account. Now, how can I register to @tweetitow?

Simply text/send from your mobile phone your twitter username and password in this following format:

REG tweetitow veryverysecret

to following gateway numbers:

Globe/TM users: 09273389183

Smart/TNT users: 0918-419-4904

Sun users: 0923-986-0673
Text your password? When they get your password in PLAIN TEXT in perhaps some makeshift SMS gateway (perhaps a phone with a data cable hooked up in a computer), what do they do with it? Store it in plain text in a database? What if someone in their team wanted to see what the password of Pogzie is.. If its in plain text.. Imagine you have a whole database of accounts stored in plain text? Thats scary. Well, lets hope they encode it before saving it to the database.

Second is the all popular phPlurk (http://phplurk.com/node/2)

Then again, im welcomed with this:
To update your timeline using sms/text, you need to *register your plurk account to the gateway*.

To register, send:

* PREG [username] [password]
It presents the same security issue found above. How are the passwords saved? This time, I would emphasize on the SMS gateway itself. How secure is their server room (or house/office/what have you)? What if someone was crazy enough to steal their SMS gateway.. A mobile phone containing some, if not all, messages with your username and passwords. Ouch.

The third one is iSip.ph (http://isip.ph/)

I failed to get an account since their registration is already closed, but perhaps it employs the same technique as the sites mentioned above.

In summary, this diagram shows vulnerable points in the implementation of these services.


Possible vulnerabilities are pointed out by the lightning. The problematic area are as follows:
  • Security of the SMS Gateway (can I just pull it out and runaway with it?)
  • How are the passwords stored in the database (plaintext? md5? sha-1?)
  • Security of the computer/server (can I unplug the machine and run away with it?)
  • How many people has access to the computer/server (Bob left the machine at the office, after office hours, Alice used it and opened the database)
II. Safety of Sent SMS

Recently, the GSM cipher just got cracked. This means that communication sent through sms or even calls could be easily hijacked. More info could be found in this link but be warned, this is not for the faint of heart.

In an additional note, there exists SIM card programming tools which one could use to easily tamper the SIM card. Scary enough, this could lead to illegal number cloning. Tools such as this are freely sold on the internet, while it takes certain skill to make use of these tools, we could say that it is possible.

Ever wonder why post paid subscribers can get another SIM card with the same number if one lost their phone or their SIM? Simple, the telcos just program a SIM with your number. Honestly, there are lots of ways you could snoop into peoples SMS but all of these are illegal (without the users and probably the telcos consent). Another news about this could be found here.


In summary, ive modified the diagram to depict additional vulnerabilities with the current setup.

Again, additional vulnerable areas include:
  • Security of sent SMS (is someone snooping on your outbound SMS?)
  • Security of received SMS (is someone snooping on the GSM module/phone SMS?)
This might be too complex for the average Joe to pull out but it is possible.

III. Probable Solution and Alternatives

So ive presented the issues of using the service so you might all be wondering, what can we do about this?

Simple. SMS to email.

Why? Because you wont be sending any username or password.

How? Sign up for ping.fm (http://ping.fm), Posterous (http://posterous.com/) or any social networking posting aggregator. Then, find a simple SMS to email service like Chikka txt2mail (http://www.chikka.com/txt2mail/) or FastMail from Fast.ph (http://www.fast.ph/FastMail/) ..

How do I post? The SMS to email does that. Send an email through SMS to your ping.fm or Posterous secret posting address.

Your SMS would probably look like:
mypostingaddress@ping.fm this is my status update
You're just sending an email through SMS to a service which then posts to your social networking sites. Even if they snoop on your SMS messages, all they will see is the email (which you could change easily if you feel that it has been compromised).

But it charges an outrageous 2.50php for every SMS sent as an email! Sadly, yes. This is where those existing services would come in. Its a simple modification to their system. All they need to do is write a simple PHP (or any programming language they like) mailer script which parses the SMS into two. Everything before the first space is the email, the rest is the content. And then sends the email to the recipient address. If they are using those GSM module set top boxes, perhaps its already built in.


sms -> sms gateway -> convert to email -> send to posting address

Heck, if they're interested, id be willing to help them modify their system.

But as of now, services like those asking for my password? .. No thanks. Maybe others would think of it as: "Its just (insert social networking site here).. Why would one want to hack my account?" .. You might want to look at how much information is posted on your account.. You might reconsider. Identity theft anyone?

Comments

Popular posts from this blog

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho

LTE and the Unlocked iPhone 5

So heres the deal, theres a new iPhone out there and its got the new blazing LTE. If you're planning to get one buying from countries which have unlocked options (Canada, Singapore, Hong Kong) doesnt necessarily merit that you'll get LTE compatibility wherever you go. In the iPhone 5 website, theres a little asterisk there. Pretty sneaky if you ask me, that they have created 2 different models probably using 2 different LTE chips. GSM model A1428*: UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 4 and 17)  GSM model A1429*: UMTS/HSPA+/DC-HSDPA (850, 900, 1900, 2100 MHz); GSM/EDGE (850, 900, 1800, 1900 MHz); LTE (Bands 1, 3, 5) - From: http://www.apple.com/iphone/specs.html So what does this mean? If you're planning to get an unlocked unit from other country, LTE speeds might not be compatible with yours. From Wikpedia , theres a working list of LTE bands per country. With me residing in the Philippines it seems t

Ive Messed Up My Master Boot Record

I got too overly excited in refreshing my OS installation in my old Inspiron 640m that I just cleaned off the Linux partition through the Drive Management Snap-in of Microsoft while I was still booted in XP. I completely forgot that the GRUB was the bootloader managing my OS selection in the Master Boot Record of my drive. In plain English, I wanted to clear out my old Linux installation and merge the partition with the old XP partition when I run the Windows 7 install. It was a mistake to use the Drive Management Snap-in rather than having the Windows 7 installation take care of the partition clearing. This caused problems because the bootloader (GRUB) or the one which asks which OS are you going to boot is in the partition I wiped out. Therefore, I cannot go into the Linux partition (obviously, since it has already been wiped out) nor the Windows XP partition. There is a quick fix with this by using the XP install CD and fixing the MBR by going to the command prompt and typing fi