Skip to main content

SMS and Social Networks

For several months, ive been looking for a secure way of updating my status messages through SMS. Though there has been several options, ive considered their approach to be significantly flawed. As my friend started posting his updates through sms, I checked the website on how they go about updating your status. I find it very alarming and perhaps, its a good time to share my thoughts as an IT professional.

I. Existing Services and Their Flaws

Ok, first in my list is the one recently subscribed to by my friend. @tweetitow ( Ive looked at how I could subscribe and guess what welcomed me:

I already have a twitter account. Now, how can I register to @tweetitow?

Simply text/send from your mobile phone your twitter username and password in this following format:

REG tweetitow veryverysecret

to following gateway numbers:

Globe/TM users: 09273389183

Smart/TNT users: 0918-419-4904

Sun users: 0923-986-0673
Text your password? When they get your password in PLAIN TEXT in perhaps some makeshift SMS gateway (perhaps a phone with a data cable hooked up in a computer), what do they do with it? Store it in plain text in a database? What if someone in their team wanted to see what the password of Pogzie is.. If its in plain text.. Imagine you have a whole database of accounts stored in plain text? Thats scary. Well, lets hope they encode it before saving it to the database.

Second is the all popular phPlurk (

Then again, im welcomed with this:
To update your timeline using sms/text, you need to *register your plurk account to the gateway*.

To register, send:

* PREG [username] [password]
It presents the same security issue found above. How are the passwords saved? This time, I would emphasize on the SMS gateway itself. How secure is their server room (or house/office/what have you)? What if someone was crazy enough to steal their SMS gateway.. A mobile phone containing some, if not all, messages with your username and passwords. Ouch.

The third one is (

I failed to get an account since their registration is already closed, but perhaps it employs the same technique as the sites mentioned above.

In summary, this diagram shows vulnerable points in the implementation of these services.

Possible vulnerabilities are pointed out by the lightning. The problematic area are as follows:
  • Security of the SMS Gateway (can I just pull it out and runaway with it?)
  • How are the passwords stored in the database (plaintext? md5? sha-1?)
  • Security of the computer/server (can I unplug the machine and run away with it?)
  • How many people has access to the computer/server (Bob left the machine at the office, after office hours, Alice used it and opened the database)
II. Safety of Sent SMS

Recently, the GSM cipher just got cracked. This means that communication sent through sms or even calls could be easily hijacked. More info could be found in this link but be warned, this is not for the faint of heart.

In an additional note, there exists SIM card programming tools which one could use to easily tamper the SIM card. Scary enough, this could lead to illegal number cloning. Tools such as this are freely sold on the internet, while it takes certain skill to make use of these tools, we could say that it is possible.

Ever wonder why post paid subscribers can get another SIM card with the same number if one lost their phone or their SIM? Simple, the telcos just program a SIM with your number. Honestly, there are lots of ways you could snoop into peoples SMS but all of these are illegal (without the users and probably the telcos consent). Another news about this could be found here.

In summary, ive modified the diagram to depict additional vulnerabilities with the current setup.

Again, additional vulnerable areas include:
  • Security of sent SMS (is someone snooping on your outbound SMS?)
  • Security of received SMS (is someone snooping on the GSM module/phone SMS?)
This might be too complex for the average Joe to pull out but it is possible.

III. Probable Solution and Alternatives

So ive presented the issues of using the service so you might all be wondering, what can we do about this?

Simple. SMS to email.

Why? Because you wont be sending any username or password.

How? Sign up for (, Posterous ( or any social networking posting aggregator. Then, find a simple SMS to email service like Chikka txt2mail ( or FastMail from ( ..

How do I post? The SMS to email does that. Send an email through SMS to your or Posterous secret posting address.

Your SMS would probably look like: this is my status update
You're just sending an email through SMS to a service which then posts to your social networking sites. Even if they snoop on your SMS messages, all they will see is the email (which you could change easily if you feel that it has been compromised).

But it charges an outrageous 2.50php for every SMS sent as an email! Sadly, yes. This is where those existing services would come in. Its a simple modification to their system. All they need to do is write a simple PHP (or any programming language they like) mailer script which parses the SMS into two. Everything before the first space is the email, the rest is the content. And then sends the email to the recipient address. If they are using those GSM module set top boxes, perhaps its already built in.

sms -> sms gateway -> convert to email -> send to posting address

Heck, if they're interested, id be willing to help them modify their system.

But as of now, services like those asking for my password? .. No thanks. Maybe others would think of it as: "Its just (insert social networking site here).. Why would one want to hack my account?" .. You might want to look at how much information is posted on your account.. You might reconsider. Identity theft anyone?


Popular posts from this blog

Self Signed SSL Certificates

Ever wondered how to enable SSL or HTTPS on your site? If you dont want to pay for commercial SSL certificates, you could create self signed certificates for your site by following the instructions here: The instructions in the site above will make your default site HTTPS enabled. If you prefer having a commercial SSL, save your certificate files and key files in your server and edit the location on the /etc/apache2/sites-enabled/default to point to the directory where you stored those files.

Moving to a New Linux Web Based Torrent Client

For years, I have been using TorrentFlux (url here) as my primary torrent client situated in my Ubuntu download server. But as time went on, the developers completely abandoned the development of TorrentFlux which led to several forks which I think is still insufficient for my needs. Main GUI of TorrentFlux Ive checked several options which runs on a GUI-less environment. Since my Ubuntu server is just running on command line to save precious memory, I needed something bare, simple and is packed with features. Installing uTorrent Server is pretty straight forward. Download. Uncompress. Run. This is better than the approach of TorrentFlux which you need to setup LAMP server and create a database. More often than not, it happens to me that some of the data in the DB gets corrupted. I normally just reinstall the whole thing again. Main GUI of uTorrent Server To further elaborate on the setup process, I've gotten an excerpt from this thread which, quite simply discusses ho

iPhone 4 Carrier Unlock Finally Here

The wonderful people of iPhone-dev Team (or I think they're called just DevTeam now) has realeased their iPhone 4 carrier unlock. What this means is you can unlock the iPhone 4 s you've purchased from any locked countries like the U.S.(with baseband 1.59 ).  iPhone 3G and 3Gs also benefits from this release which unlocks phones with basebands 04.26.08 , 05.11.07 , 05.12.01 and 05.13.04 As an excerpt from their blog post : Version 1.0-1 of ultrasn0w works for: iPhone4 baseband 01.59 3G/3GS basebands 04.26.08, 05.11.07, 05.12.01 and 05.13.04 (If ultrasn0w doesn’t show when you search Cydia, add the repo: Quickest solution to unlock your phones is to visit which uses an exploit to jailbreak your device, and once you get the Cydia app, download (or add the repository if you havent) ultrasn0w. Restart and enjoy carrier freedom. Perhaps another implication of this with the iPhone 4 market now is that those people selling iPhone 4