Skip to main content

SMS and Social Networks

For several months, ive been looking for a secure way of updating my status messages through SMS. Though there has been several options, ive considered their approach to be significantly flawed. As my friend started posting his updates through sms, I checked the website on how they go about updating your status. I find it very alarming and perhaps, its a good time to share my thoughts as an IT professional.

I. Existing Services and Their Flaws

Ok, first in my list is the one recently subscribed to by my friend. @tweetitow ( Ive looked at how I could subscribe and guess what welcomed me:

I already have a twitter account. Now, how can I register to @tweetitow?

Simply text/send from your mobile phone your twitter username and password in this following format:

REG tweetitow veryverysecret

to following gateway numbers:

Globe/TM users: 09273389183

Smart/TNT users: 0918-419-4904

Sun users: 0923-986-0673
Text your password? When they get your password in PLAIN TEXT in perhaps some makeshift SMS gateway (perhaps a phone with a data cable hooked up in a computer), what do they do with it? Store it in plain text in a database? What if someone in their team wanted to see what the password of Pogzie is.. If its in plain text.. Imagine you have a whole database of accounts stored in plain text? Thats scary. Well, lets hope they encode it before saving it to the database.

Second is the all popular phPlurk (

Then again, im welcomed with this:
To update your timeline using sms/text, you need to *register your plurk account to the gateway*.

To register, send:

* PREG [username] [password]
It presents the same security issue found above. How are the passwords saved? This time, I would emphasize on the SMS gateway itself. How secure is their server room (or house/office/what have you)? What if someone was crazy enough to steal their SMS gateway.. A mobile phone containing some, if not all, messages with your username and passwords. Ouch.

The third one is (

I failed to get an account since their registration is already closed, but perhaps it employs the same technique as the sites mentioned above.

In summary, this diagram shows vulnerable points in the implementation of these services.

Possible vulnerabilities are pointed out by the lightning. The problematic area are as follows:
  • Security of the SMS Gateway (can I just pull it out and runaway with it?)
  • How are the passwords stored in the database (plaintext? md5? sha-1?)
  • Security of the computer/server (can I unplug the machine and run away with it?)
  • How many people has access to the computer/server (Bob left the machine at the office, after office hours, Alice used it and opened the database)
II. Safety of Sent SMS

Recently, the GSM cipher just got cracked. This means that communication sent through sms or even calls could be easily hijacked. More info could be found in this link but be warned, this is not for the faint of heart.

In an additional note, there exists SIM card programming tools which one could use to easily tamper the SIM card. Scary enough, this could lead to illegal number cloning. Tools such as this are freely sold on the internet, while it takes certain skill to make use of these tools, we could say that it is possible.

Ever wonder why post paid subscribers can get another SIM card with the same number if one lost their phone or their SIM? Simple, the telcos just program a SIM with your number. Honestly, there are lots of ways you could snoop into peoples SMS but all of these are illegal (without the users and probably the telcos consent). Another news about this could be found here.

In summary, ive modified the diagram to depict additional vulnerabilities with the current setup.

Again, additional vulnerable areas include:
  • Security of sent SMS (is someone snooping on your outbound SMS?)
  • Security of received SMS (is someone snooping on the GSM module/phone SMS?)
This might be too complex for the average Joe to pull out but it is possible.

III. Probable Solution and Alternatives

So ive presented the issues of using the service so you might all be wondering, what can we do about this?

Simple. SMS to email.

Why? Because you wont be sending any username or password.

How? Sign up for (, Posterous ( or any social networking posting aggregator. Then, find a simple SMS to email service like Chikka txt2mail ( or FastMail from ( ..

How do I post? The SMS to email does that. Send an email through SMS to your or Posterous secret posting address.

Your SMS would probably look like: this is my status update
You're just sending an email through SMS to a service which then posts to your social networking sites. Even if they snoop on your SMS messages, all they will see is the email (which you could change easily if you feel that it has been compromised).

But it charges an outrageous 2.50php for every SMS sent as an email! Sadly, yes. This is where those existing services would come in. Its a simple modification to their system. All they need to do is write a simple PHP (or any programming language they like) mailer script which parses the SMS into two. Everything before the first space is the email, the rest is the content. And then sends the email to the recipient address. If they are using those GSM module set top boxes, perhaps its already built in.

sms -> sms gateway -> convert to email -> send to posting address

Heck, if they're interested, id be willing to help them modify their system.

But as of now, services like those asking for my password? .. No thanks. Maybe others would think of it as: "Its just (insert social networking site here).. Why would one want to hack my account?" .. You might want to look at how much information is posted on your account.. You might reconsider. Identity theft anyone?


Popular posts from this blog

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho

YouTube Movies

I heard that Google is launching movies through YouTube but I didn't realize that it was already available. Head on to: for your fix on documentaries, bunch of horror flicks, cartoons, Bollywood, Bruce Lee and Jackie Chan movies. Now, don't you think that those media boxes with YouTube support are now worth the investment?

OBS Black/Frozen Screen Issue

Recently I went back to streaming and tried to improve my setup and use Streamlabs OBS  (SLOBS), a variant of the popular Open Broadcaster Software (OBS) which includes a really nice app for iOS and Android which lets you control you broadcast. My only issue about SLOBS (and/or OBS) in general is when you stream some games, its a hit or miss experience. Most of the reported issues include a black screen (but with audio) or in my experience, frozen frames as I transition from one part of a game to another. I had the time to do some trial and error testing yesterday and listed below is the pre-requisites and some quick summary of my setup. Take note of the terminologies used throughout this post. Terminologies SLOBS/OBS - Streaming software, liberally used interchangeably in this post.  Source - This is where an input of OBS is coming from. This can be a webcam, computer screen, full screen application, a webpage, an image, etc. Display Capture - Captures your whole screen re