Friday, April 23, 2010

SMS and Social Networks

For several months, ive been looking for a secure way of updating my status messages through SMS. Though there has been several options, ive considered their approach to be significantly flawed. As my friend started posting his updates through sms, I checked the website on how they go about updating your status. I find it very alarming and perhaps, its a good time to share my thoughts as an IT professional.

I. Existing Services and Their Flaws

Ok, first in my list is the one recently subscribed to by my friend. @tweetitow (http://tweetitow.com) Ive looked at how I could subscribe and guess what welcomed me:

I already have a twitter account. Now, how can I register to @tweetitow?

Simply text/send from your mobile phone your twitter username and password in this following format:

REG tweetitow veryverysecret

to following gateway numbers:

Globe/TM users: 09273389183

Smart/TNT users: 0918-419-4904

Sun users: 0923-986-0673
Text your password? When they get your password in PLAIN TEXT in perhaps some makeshift SMS gateway (perhaps a phone with a data cable hooked up in a computer), what do they do with it? Store it in plain text in a database? What if someone in their team wanted to see what the password of Pogzie is.. If its in plain text.. Imagine you have a whole database of accounts stored in plain text? Thats scary. Well, lets hope they encode it before saving it to the database.

Second is the all popular phPlurk (http://phplurk.com/node/2)

Then again, im welcomed with this:
To update your timeline using sms/text, you need to *register your plurk account to the gateway*.

To register, send:

* PREG [username] [password]
It presents the same security issue found above. How are the passwords saved? This time, I would emphasize on the SMS gateway itself. How secure is their server room (or house/office/what have you)? What if someone was crazy enough to steal their SMS gateway.. A mobile phone containing some, if not all, messages with your username and passwords. Ouch.

The third one is iSip.ph (http://isip.ph/)

I failed to get an account since their registration is already closed, but perhaps it employs the same technique as the sites mentioned above.

In summary, this diagram shows vulnerable points in the implementation of these services.


Possible vulnerabilities are pointed out by the lightning. The problematic area are as follows:
  • Security of the SMS Gateway (can I just pull it out and runaway with it?)
  • How are the passwords stored in the database (plaintext? md5? sha-1?)
  • Security of the computer/server (can I unplug the machine and run away with it?)
  • How many people has access to the computer/server (Bob left the machine at the office, after office hours, Alice used it and opened the database)
II. Safety of Sent SMS

Recently, the GSM cipher just got cracked. This means that communication sent through sms or even calls could be easily hijacked. More info could be found in this link but be warned, this is not for the faint of heart.

In an additional note, there exists SIM card programming tools which one could use to easily tamper the SIM card. Scary enough, this could lead to illegal number cloning. Tools such as this are freely sold on the internet, while it takes certain skill to make use of these tools, we could say that it is possible.

Ever wonder why post paid subscribers can get another SIM card with the same number if one lost their phone or their SIM? Simple, the telcos just program a SIM with your number. Honestly, there are lots of ways you could snoop into peoples SMS but all of these are illegal (without the users and probably the telcos consent). Another news about this could be found here.


In summary, ive modified the diagram to depict additional vulnerabilities with the current setup.

Again, additional vulnerable areas include:
  • Security of sent SMS (is someone snooping on your outbound SMS?)
  • Security of received SMS (is someone snooping on the GSM module/phone SMS?)
This might be too complex for the average Joe to pull out but it is possible.

III. Probable Solution and Alternatives

So ive presented the issues of using the service so you might all be wondering, what can we do about this?

Simple. SMS to email.

Why? Because you wont be sending any username or password.

How? Sign up for ping.fm (http://ping.fm), Posterous (http://posterous.com/) or any social networking posting aggregator. Then, find a simple SMS to email service like Chikka txt2mail (http://www.chikka.com/txt2mail/) or FastMail from Fast.ph (http://www.fast.ph/FastMail/) ..

How do I post? The SMS to email does that. Send an email through SMS to your ping.fm or Posterous secret posting address.

Your SMS would probably look like:
mypostingaddress@ping.fm this is my status update
You're just sending an email through SMS to a service which then posts to your social networking sites. Even if they snoop on your SMS messages, all they will see is the email (which you could change easily if you feel that it has been compromised).

But it charges an outrageous 2.50php for every SMS sent as an email! Sadly, yes. This is where those existing services would come in. Its a simple modification to their system. All they need to do is write a simple PHP (or any programming language they like) mailer script which parses the SMS into two. Everything before the first space is the email, the rest is the content. And then sends the email to the recipient address. If they are using those GSM module set top boxes, perhaps its already built in.


sms -> sms gateway -> convert to email -> send to posting address

Heck, if they're interested, id be willing to help them modify their system.

But as of now, services like those asking for my password? .. No thanks. Maybe others would think of it as: "Its just (insert social networking site here).. Why would one want to hack my account?" .. You might want to look at how much information is posted on your account.. You might reconsider. Identity theft anyone?

No comments:

Post a Comment