SMS Security

What Cell Phone Users must know about Sms

 Agenda
 What is sms?
 What is mms?
 What are the Security risks of sms?
 Methods to mitigate the risks associated
with SMS
 How to Protect Yourself
 Questions/Discussion 2
 What is SMS?
 SMS stands for short message service.

 SMS is texting, sending text messages or text messaging

 Short text messages sent from one cell phone to another

or from the Web to a cell phone

 Including spaces, text messages traditionally can’t

exceed 160 characters
3
 SMS is not a secure for sending confidential information
What is MMS?
 Multimedia messaging service, takes SMS text
messaging a step further by allowing for longer
lengths beyond 160-character SMS limit.

 MMS can be used to send pictures, audio, and video

from one cell phone directly to another

 MMS is most popularly used for picture messaging

from camera-equipped phones.
4
 Uses of SMS
 Between individuals
 Between a service provider and an individual
 Receive updates from favorite retailers and businesses
about sales and promotions.
 Receive bank account Transaction alerts
 Receive utility bills such a Water bill
 Receive alerts via SMS such as Power interruption from
ZESCO
 Alert from ZAMPOST when recipient has collected Cash
sent by swift cash 5
 Does SMS message pose a security risk?
 SMS is the most neglected means of communication, and
also the most vulnerable to attacks.
 Unsolicited SMS messages can be very annoying and
could pose a great privacy risk to the recipient.
 With advancements in technology that supports sending
SMS messages over Internet to any user across the globe,
SMS poses a higher risk to the mobile users.
 SMS remains the most viable method for an attacker or
spammer to get their message into some unsuspecting
user’s inbox 6
Types Of Attacks for SMS
 Flooding or Denial Of Service (DOS)
 Distributed Denial Of Service (DDOS)
 Identity Impersonation (SMS spoofing)
 SMS Phone Crashes
 Message Disclosure
 Eavesdropping
 Message Forgery and Tempering
 Message Replay
 Man In The Middle Attack
 SMiShing (SMS Phishing)/Identity theft
 SMS fraud 7

 SMS Viruses
 SMS/Text Messaging Risks
 SMS messages are sent in plain text.
 SMS messages are not encrypted by default
during transmission.
 Not encrypted - anyone who intercepts the message can read
your SMS.
 Protection for confidentiality and integrity is not
available for SMS messages.
 Never send sensitive personal information (PII) like
your NRC No. or Visa card details over SMS 8
Risks
 Text messages can be intercepted in various ways.
 SIM card can be cloned to receive all text messages sent to a Number
 Management commands can be sent to a SIM to forward all text
messages sent using the SIM to a third party,
 SMS interception devices are widely available from security
equipment vendors.
 Text messages Filtering
 SMS can be filtered for key words by an adversary working with
your Mobile Network Operator (MNO)
 All SMS traffic in a particular location can be intercepted
 Filtering can be used
1) to prevent delivery of messages with a particular keyword
2) to identify senders and recipients for further surveillance. 9
Risks
 MNO keeps records of all text messages sent and
received, including not just the message itself but identifying
information about the handset (the serial number of the phone
or IMEI number) and SIM card (IMSI number), the time the
message was sent, and the location of the sender or receiver.
IMSI: International Mobile Subscriber Identity- (your cell phone number)
IMEI: International Mobile Equipment Identity
 MNO records your location any time you send or receive a
text message. Text messages can also be sent silently to GSM
phones to create a record of your location, so you may not
know that you are receiving a message. Logs showing your
location can then be accessed by and adversary working with
10
your MNO or subpoenaed by law enforcement.
Risks
 Data stored on your phone includes text
messages you have sent and received -
and even once you deleted them, these
messages may still be readable using readily
available forensic tools.
 Smartphone and other phone applications
may also be able to intercept text messages,
read saved messages, or send messages
without your knowledge. 11
Risks
 Text messaging can be shut down at critical times.
An attack on the mobile network or a service shutdown
by the MNO themselves can cut off access for all users
on a particular network or in a particular area.
 Highly publicized shutdown in Egypt, 2011
 SMS filtering in Syria,
 A ban on bulk SMS services during a divisive court
case in India,
 Temporary SMS shutdowns in Kazakstan, the Congo
DRC, Cote d’Ivoire, and Iran. 12
Risks
 ‘SMS of death’ vulnerability found in many phone
models, may cut off only specific users, and may be used
without the co-operation of the MNO.
 SMS Spoofing: The identity of the message sender can be
faked on some mobile networks. SMS spoofing services
are widely available online, although networks are
increasingly taking precautions to prevent this.
An adversary who obtains the physical SIM or a
cloned copy from someone can impersonate them, as can
a technically sophisticated adversary able to send valid SIM
management commands.
 You should confirm the sender of a text message using another13

mode of communication if its content seems out of character.

Risks
 No reports of viruses being attached to short
messages, but as mobile phones are getting
more powerful and programmable, the
potential of viruses being spread through
SMS is becoming greater.
 Ability of SIM application toolkits that allows
applications to access the dialing functions
and phone contacts, might make SMS suitable
platform for spreading self-replicating virus 14
 Final Risk
 Accidents
Cell phones and texting distract drivers, putting
them at greater risk of an accident.
DO NOT DRIVE AND SEND/READ SMS OR
USE A CELL PHONE.
ALWAYS PARK TO USE A MOBILE PHONE.

15
Business Mobile Messaging Security

 If you are a business using SMS text message

marketing to reach your customers
 Provide customers with the highest level of
security by choosing a SMS text messaging
service that provides the highest levels of SMS
security.
 Ask your provider what kind of SMS security
they provide to you and to your potential mobile
marketing customers 16
SMS SECURITY CONSIDERATIONS

To avoid security threats to SMS, users are advised

to follow the following common precautions:

17
 Message Transmission

 Sending SMS messages via a web browser, security protection

must prevent message disclosure during transmission.
 For those applications that require secure transmission of a
message, such as mobile banking, end-to-end encryption is
advisable between the sender and the recipient.
 Transactional systems should have the end-to-end security built-in.
 For person-to-person communications, products such as
CryptoSMS12 are available to help users encrypt SMS
communications using strong encryption algorithms.
• This can help protect against possible SMS interception threats

18
Storage Protection

 Customer mobile phone contact lists should be

kept confidential and properly protected from
disclosure.

 As contact lists are considered personal data,

proper protection should be implemented in
accordance with privacy laws and regulations

19
User authentication

 User login IDs and passwords should be used

to authenticate users on web-based SMS
services when sending short messages.

 User login IDs and passwords should not be

disclosed to others.

 For secure transactions, user authentication

should be protected by SSL 20
Protection of PCs for sending messages

 When sending short messages to an SMS

gateway via the Internet- not advisable to use
a public Internet computer.

 If desktop utilities are used to send out SMS

messages, - PC used to send the messages
should not be left unattended

21
 Protect Yourself
 Keep the content of your messages to a
minimum, expect that it can be read by any body
 reader will know the date and time it was sent
 reader will know the location of the sender.
 Use text messaging from a basic phone and not a
phone with other apps.
 Set SMS storage to very low or none.
 Turn off the option to save sent messages.
 Delete messages regularly. 22
 Protect Yourself
 Consider using an encrypted messaging app instead of SMS.
Many of these apps require a data connection, and you will
need a phone on which apps can be installed.
 Which one works for you will depend on your phone’s
operating system.
 Note that many encrypted messaging apps require that both the
sender and receiver use the same application (and therefore the
same kind of phone), so this strategy probably works best for small
group communications

23
Protect Yourself
 Use pre-arranged codes to communicate
sensitive information with your contacts.
Change your codes regularly.

 Avoid words that could be considered “high

profile” or inflammatory if you suspect
keyword filtering of SMS is taking place.

24
Protect Yourself
 If you are setting up an SMS messaging system
for mass-texting SMS to recipients, make sure
your servers and infrastructure are secure.

 If you are sending SMSs to a system run by

another organization, evaluate their security
precautions as best as you can, and especially
check how they plan to share your data.
25
 Protect Yourself
 Delete messages, photos/videos, and call records to deter
an unsophisticated attacker, but remember that deleted
data can sometimes be recovered from the phone.
 Don’t use the phone book if you can keep numbers in a
safe place without it.
Don’t store numbers and names together.
 Do not use explicitly identifying information for contacts,
including names, nicknames, or contact icons/pictures.
 Check the settings on the phone to see if it can be set to
NOT store call logs and outgoing SMS. 26
 Protect Yourself
 If you have a smartphone, enable remote wipe .
 Allows you to remotely erase data on the phone if it is
stolen or lost

 You will need to download an application and/or

configure remote wipe through an online service.

27
Protect Yourself
 Lock your phone using various available
options to block calls and physical access.
 Always use removable memory/external
storage for sensitive media and data, and
remove it whenever the phone is not with you

 Mobile phone numbers must only be given to

trusted people who must be advised not to 28

share them without your consent .

 Text Message Interceptors
 Be aware that there are text messages spy apps
that can be installed on once’s phone which can
offer the following features:
 Call logging – Sent and Received calls
 Cell Phone GPS Tracking
 Picture Logging
 Email Interception
 Task recording and Calendar logging
 Internet web sites visited Logging (URL only)
 Solution is limit physical access to your phone and do 29
 Summary
 SMS is not a secure way of sending information
 SMS can be intercepted during transmission
 SMS can be sent from a Computer to a phone
 Unsolicited SMS messages can be received
 Remote wipe of a phone is possible if it is lost
 Mobile phone numbers must only be given to
trusted people
 Text interceptors exist that can evade your privacy
30
Questions? Comments?

31