Professional Documents
Culture Documents
SMS Viruses
SMS/Text Messaging Risks
SMS messages are sent in plain text.
SMS messages are not encrypted by default
during transmission.
Not encrypted - anyone who intercepts the message can read
your SMS.
Protection for confidentiality and integrity is not
available for SMS messages.
Never send sensitive personal information (PII) like
your NRC No. or Visa card details over SMS 8
Risks
Text messages can be intercepted in various ways.
SIM card can be cloned to receive all text messages sent to a Number
Management commands can be sent to a SIM to forward all text
messages sent using the SIM to a third party,
SMS interception devices are widely available from security
equipment vendors.
Text messages Filtering
SMS can be filtered for key words by an adversary working with
your Mobile Network Operator (MNO)
All SMS traffic in a particular location can be intercepted
Filtering can be used
1) to prevent delivery of messages with a particular keyword
2) to identify senders and recipients for further surveillance. 9
Risks
MNO keeps records of all text messages sent and
received, including not just the message itself but identifying
information about the handset (the serial number of the phone
or IMEI number) and SIM card (IMSI number), the time the
message was sent, and the location of the sender or receiver.
IMSI: International Mobile Subscriber Identity- (your cell phone number)
IMEI: International Mobile Equipment Identity
MNO records your location any time you send or receive a
text message. Text messages can also be sent silently to GSM
phones to create a record of your location, so you may not
know that you are receiving a message. Logs showing your
location can then be accessed by and adversary working with
10
your MNO or subpoenaed by law enforcement.
Risks
Data stored on your phone includes text
messages you have sent and received -
and even once you deleted them, these
messages may still be readable using readily
available forensic tools.
Smartphone and other phone applications
may also be able to intercept text messages,
read saved messages, or send messages
without your knowledge. 11
Risks
Text messaging can be shut down at critical times.
An attack on the mobile network or a service shutdown
by the MNO themselves can cut off access for all users
on a particular network or in a particular area.
Highly publicized shutdown in Egypt, 2011
SMS filtering in Syria,
A ban on bulk SMS services during a divisive court
case in India,
Temporary SMS shutdowns in Kazakstan, the Congo
DRC, Cote d’Ivoire, and Iran. 12
Risks
‘SMS of death’ vulnerability found in many phone
models, may cut off only specific users, and may be used
without the co-operation of the MNO.
SMS Spoofing: The identity of the message sender can be
faked on some mobile networks. SMS spoofing services
are widely available online, although networks are
increasingly taking precautions to prevent this.
An adversary who obtains the physical SIM or a
cloned copy from someone can impersonate them, as can
a technically sophisticated adversary able to send valid SIM
management commands.
You should confirm the sender of a text message using another13
15
Business Mobile Messaging Security
17
Message Transmission
18
Storage Protection
19
User authentication
21
Protect Yourself
Keep the content of your messages to a
minimum, expect that it can be read by any body
reader will know the date and time it was sent
reader will know the location of the sender.
Use text messaging from a basic phone and not a
phone with other apps.
Set SMS storage to very low or none.
Turn off the option to save sent messages.
Delete messages regularly. 22
Protect Yourself
Consider using an encrypted messaging app instead of SMS.
Many of these apps require a data connection, and you will
need a phone on which apps can be installed.
Which one works for you will depend on your phone’s
operating system.
Note that many encrypted messaging apps require that both the
sender and receiver use the same application (and therefore the
same kind of phone), so this strategy probably works best for small
group communications
23
Protect Yourself
Use pre-arranged codes to communicate
sensitive information with your contacts.
Change your codes regularly.
24
Protect Yourself
If you are setting up an SMS messaging system
for mass-texting SMS to recipients, make sure
your servers and infrastructure are secure.
27
Protect Yourself
Lock your phone using various available
options to block calls and physical access.
Always use removable memory/external
storage for sensitive media and data, and
remove it whenever the phone is not with you
31