Bulk Text Messaging

This seems very worrisome:

Federal regulators approved a plan on Wednesday to create a nationwide emergency alert system using text messages delivered to cellphones.

The real question is whether the benefits outweigh the risks. I could certainly imagine scenarios where getting short text messages out to everyone in a particular geographic area is a good thing, but I can also imagine the hacking possibilities.

And once this system is developed for emergency use, can a bulk SMS business be far behind?

Posted on April 11, 2008 at 6:22 AM • 54 Comments

Comments

GrahamApril 11, 2008 7:01 AM

The obvious problem that jumps out to me over this plan is one that a lot of people just don't consider when they think about SMS. It is not guaranteed to be delivered to the user in a timely manner - or at all if the networks can't manage to do so for whatever reason. There is no guarantee that these "alert text messages" are actually going to be recieved by the people they are being sent to in time to actually be of any use to them.

JeroenApril 11, 2008 7:18 AM

In the Netherlands, crime investistigators sometimes send a text message to all mobile phones that were in the area when a crime was committed to find witnesses. Apparently, this has helped in solving at least some crimes.

Also, mobile phones that are reported stolen receive an SMS saying "This phone was stolen" every few minutes.

Tremaine LeaApril 11, 2008 7:21 AM

Bulk SMS is already a reality today.

@Graham - actually it depends on the level of SMS service you have with your provider. There are 3 levels with very different SLA's - ie, blackberry to blackberry communications on the same network are at the highest level, whereas sms messages between disparate devices on different network tends to be bottom of the pile.

VickiApril 11, 2008 7:25 AM

It's likely to produce the same sort of "but I told you that" that now comes from "I sent you email, I assumed you'd read it" [even if, say, they sent it to someone's work address on the weekend, or to an address that has consistently not gotten acknowledgements in recent months]. Of course, I live in a city where, mornings and evenings, hundreds of thousands of people aren't reachable by cell phone, because the subway system isn't wired and signals slip in only sporadically.

bobApril 11, 2008 7:30 AM

I dont text. Yet I have received 3 text messages already this year; all spam, so commercial is already here.

Martin PaljakApril 11, 2008 7:34 AM

Last year, when Estonia had the riots and almost famous cyber-war, all operators (3 of them in Estonia) sent out a SMS to their subscribers telling 'The government of Estonia asks you to not follow the provocation and stay home'. I still have the message just because it felt funny and strange and is a good memory of the event. Especially because I work in mobile messaging business.

Taking the ubiquity of mobile phones and the popularity of SMS messages especially in the younger generation, I definitely see this as a good communication method.

About hackability: once I accidentally sent during a testing session 500 messages to my girlfriend with the content 'testing testing 123'. She was not pleased. I don't see how such a system would be more hackable than a generic SMS connection and a wrong-minded person abusing it. Real abuse requires access to operators infrastructure that give personal information such as location and other subscriber specific data.

bobApril 11, 2008 7:40 AM

Hopefully there will be a way to opt-out. I dont need another colored m&m chart or "there is no tornado right now" siren.

alexApril 11, 2008 7:42 AM

In addition to Jeroen: in some cities in the Netherlands you can also voluntarily provide your cell phone number to get text messages from the police for alerts in your neighborhood.

I think such a targeted approach is a good thing.

As regards the hacking possibilities: the technique os sending bulk sms was there before; so were the hacking possibilities. That does not change as result of the legitimate use.

Matthew SchinckelApril 11, 2008 7:43 AM

The big problem with bulk SMS, AFAIK in the US, is that it is recipient pays. Here in Australia, it is sender pays, so bulk SMS is not as big of an issue.

They are still annoying, but they are less common than, say, bulk email, because whilst the cost is not that much, it is still there. 1,000,000 X 1c is still $10,000 after all.

Scott KApril 11, 2008 7:44 AM

I was under the impression that cell phones (voice or txt) were off-limits for spam because most plans are not unlimited-voice-and/or-data. (The only spam we get on our Verizon phones are from Verizon, and free. But still annoying.)

GaryApril 11, 2008 7:50 AM

If done where each cell tower has the ability to SMS and/or Call each handset communicating with it when an EBS is broadcast I think it could work and be a good thing. If it takes the tack of current SMS/Cell/Phone alerting services it's worth little for timely notification. (It's not worthless, recent University emergencies like the one we had here at UIowa a few weeks ago were mostly successful, even if they suffer from a lack of timelyness)

Michael JankeApril 11, 2008 7:58 AM

Over-use of a system like this carries with it the possibility of turning it into something like our current siren based severe weather alerts. Around here the sirens go off over a broad area at the slightest hint of bad weather. The result is that we hear sirens that are not accompanied by bad weather often enough that we mostly ignore all alerts.

A text based messaging system could end up with the same problem.

ChrisApril 11, 2008 8:10 AM

We, and many other universities, actually pay for a service like this. There are a number of providers and they offer things like the ability to text back to make sure you got it or sending out phone messages in addition.

We use a company called Mir3, but there are many others.

Angel oneApril 11, 2008 8:11 AM

not to get to repetitive, but judging from the amount of spam text messages I get, I'm guessing someone already figured out how to do bulk SMS.

Now here's the question - due to the spam text messages, and the fact that no one I know has ever sent me a real text message, I had text messaging blocked. Would the emergency messages get past this block? If so, how long will it take spammers to figure it out?

&rwApril 11, 2008 8:14 AM

I think the biggest problem will be fake alerts, because there's no proper way of verifying the sender.

Peter GalbavyApril 11, 2008 8:14 AM

As someone who worked on the infrastructure side for a bul SMS company in the early part of this decade I can safely say that it is already here (in the UK). It is already in the US too, as a large part of our business was moving in that direction.

The problems on the technology side, (setting aside for the moment the issues of receiver-pays, sender-pays, SPAM and all that) is that the original networks don't cope well with high volume traffic. SMS in it's native form is carried as part of the out-of-band SS7 signalling and one of the challenges is sizing those channels right between SMSCs (message centres, equivalent to mail relays) and tghe rest of the GSM network. Of course in the last 4 years there may well have been major changes in the infrastructure, but I very much doubt it - especially given the tiny margin nature of the beast.

SteveApril 11, 2008 8:24 AM

Here in the San Diego area, we have a "reverse 911", where emergency services calls you. It worked very well in our fire situation back last October 2007. It's an excellent method for getting the word out.

As Chris pointed out above, many universities have this system -- UCSD, where I work, has it and it seems to work well.

I can't speak about SMS spam because I'm probably one of the few remaining humans without a cell phone.

vwmApril 11, 2008 8:33 AM

Here in Germany, I frequently receive spam via Cell-Phone. This includes calls with recorded messages (about 3-5 times a month), SMS (about 3-5 in the last year) , even one strange WAP Bookmark I did not even know my phone was capable to receive.

According to media reports, the calls often originate from hacked Asterisk servers - so the sender needs not to worry about costs of the phone calls.

I guess most of the Spam-SMS are sent by hijacked servers as well.

I don't think it is to likely that such an emergency system will be hacked; but I expect spam claiming to be an emergency message and luring the recipient into some action like calling an Premium-rate telephone number or browse to an specific web side.

RoyApril 11, 2008 9:24 AM

Every place I've ever worked where there was a PA system, there would be some idiot whose idea of a good time was to bore everybody else with announcements he thought were important, and he needed to do this often throughout the working day. The only defense was to disconnect the speakers or turn the volume all the way down, effectively sabotaging the system and making it unusable in a genuine emergency.

If the US starts a nation-wide text-messaging service and a million idiots get authorized to initiate message broadcasts, countermeasures will be needed to shut these people up, but will also render the system useless in emergencies.

That's just the asshats. What will the blackhats dream up?

JApril 11, 2008 9:41 AM

From reading the consumerist.com, I have a high degree of trust that the phone companies *will* mess up the billing too.

shoobe01April 11, 2008 9:42 AM

Oh! The PA comment reminds me of a lovely hack to avoid this a friend of mine did recently. While poking around the server he found a .wav file. Its the "dong" tone that a page is coming. So he replaced it with a very long, annoying Christmas song (just name your file and put it in the right place. You are now free to page, but only after a 4.5 minute delay.

Worked great.

ShaneApril 11, 2008 9:59 AM

@SPAM

That's odd, because I've had cellphone service w/ text capability since nearly 2001, with three major carriers, and I've never once received a spam text message.

bobApril 11, 2008 10:03 AM

@Steve: Good point; along with the sirens that go off when there is NOT a tornado, we also have a system where 3 days after an emergency it eventually auto-phones to tell you not to have been drinking the water for the 2 days prior to today.

spongeworthyApril 11, 2008 10:21 AM

@alex:

The hacking possibilities come in where someone hacks the SMS system and sends out a page that says "Hostage situation at Alex's house. " or "Sexual predator tracked down to Alex's house." Coming from an "authoritative" source such as is being proposed can (and probably will) lead to all kinds of mischief.

False DataApril 11, 2008 11:01 AM

I don't know what everyone's so worried about. The obvious solution to text spam is a national "do not text" list. The national "do not call" list we're on works like a charm, just like I was explaining to that junk caller last night . . .

RJApril 11, 2008 12:09 PM

San Francisco introduced emergency text/SMS alerts last year.

In one's profile you can specify which zip codes or locations of the city you want to be alerted about and the alerts that have been sent out have been helpful.

Fortunately no spam. Yet.

More info:
http://alertsf.com/

MikeApril 11, 2008 12:36 PM

Movie plot hack of this system.

Build a bomb attached to a cell phone triggered by a SMS message. Phone in a bomb threat. Wait for the authorities to send out a SMS alert that there is a bomb threat. Watch bomb go boom. Should be a great plot for a movie!

AaronApril 11, 2008 12:57 PM

Yeah, I don't get spam texts on my phone. I thought I was for a while, but then I learned it was just my mother not understanding how her phone worked and sending me about 20 blank text messages every half hour.

I wouldn't worry about billing or the speed of delivery. This is the government behind it, they can (and probably would) pay for it, and pay the companies to deliver the messages quickly.

A bigger issue, I think, is that the majority of people I know don't check the text messages they get because they don't use text messages and they'll be damned if they're going to pay for receiving one. Even if a government-sponsored message is free, a person receiving a text can't tell who it's from until they open it.

Basically, the phone companies are a whole bunch of douchegobblers when it comes to text messaging and need to quit it. I am so full of hate.

Noble_SerfApril 11, 2008 1:49 PM

In the Philippines for sure, and from memory, other developing countries, bulk text messages are used to start rumors and stir up political trouble.

I'd hate to see them used as targeted misinformation in rumor-dependant US populations where bad news travels fastest by text message.

PJApril 11, 2008 4:34 PM

Wow, makes me glad I'm getting an open-source phone so I can put a spamfilter on my 'SMS-box'.
How long until all my interactions are mediated by whitelists?

Jan SchejbalApril 11, 2008 6:12 PM

As far as I know, such a system was considered for implementation in Germany many years ago - and rejected because the cell phone networks are unable to reliably deliver these messages.

FrankApril 11, 2008 6:39 PM

This situation strikes me as parallel to IPv4 and e-mail. Like SMS, SMTP was not implemented with reliability or security in mind, yet convenience has overtaken security, and now e-mail (and the web) is used for online transactions and banking. Security has been "tacked on" as an afterthought. The missing factor of inherent security is directly related to phishing, spam, other sorts of fraud and the exponential increase in identity theft. The SMS issue appears to be the same to me: creating emergency and security processes which depend on a system with no security or reliability. This will be the weak link in the security chain, and will become another avenue to commit more fraud, spam, other crime etc. Human nature will lead people to think that an emergency notification system must somehow be reliable and secure - after all, it's silly to think such a system would be unreliable, and people are trusting by nature. That's how it happened before, is happening now, and will happen again.

Chris SamuelApril 11, 2008 10:58 PM

Bulk SMS systems already have been hacked.

In February 2007 Connex, the train operator here in Melbourne (Australia) had their system for sending alerts about late and cancelled trains subverted to send a vaguely threatening SMS to all its users.

http://www.csamuel.org/2007/02/23/connexs-sms-service-hacked

A Connex spokesman said "All they were able to do was to hack in and act as though they were a staff member doing a remote access to send a message to subscribes." (sic) Very reassuring.. :-)

CipherChaosApril 12, 2008 2:38 AM

Spam in email is annoying.

Spam in SMS costs money.

I'd love to be able to reverse charges for spammers. Sure, it won't happen, but still...

Nomen PublicusApril 12, 2008 3:11 AM

In the unlikely event that the missing child was abducted, the SMS message would almost certainly be received by the bad guy and warn him to get rid of the evidence as quickly as possible.

Dr. StrangeloveApril 12, 2008 6:13 AM

Some counties and several insurance companies in Germany provide SMS based warning systems for house owners (and others) to send out flood warnings etc. This system was and is a great success (it definitely saved the home of a friend of mine). This is certainly more efficient than having sqad cars patrolling the streets with loudspeakers when those police officers are needed elsewhere.

On the other hand, large scale warning systems have to be handled with kid's gloves, especally considering the number of different (native) languages the recipients speak in the USA. Any exaggerated or misunderstood message could easily cause widespread panic.

C The SoupApril 12, 2008 9:04 AM

Why are people worried about the cost? The FCC would mandate that carriers allow state and federal government to be able to send emergency messages on their network just as they mandate that TV broadcasters must allow emergency broadcasts on their system.

Also, those who argue about guaranteed delivery don't realize that other forms of emergency notification are not guaranteed delivery to all residents. I may be sitting at home with the TV and radio off, listening to my fruit-brand MP3 player oblivious to the emergency notifications on TV, radio and the sirens.

C The SoupApril 12, 2008 9:09 AM

@ Nomen: I think the bad guy realizes he's committed a crime, and that someone is missing a child. An SMS message isn't going to suddenly clue him in on his situation. I also doubt that a bad guy in the process of an abduction is really paying much attention to his SMS messages. He's got other things on his mind...

While we're at it, let's stop all amber alerts, get rid of wanted posters, and stop mentioning crimes on the news... just in case the "perp" is tuning in...

CipherChaosApril 12, 2008 10:14 AM

@Nomen & @C

While I think C's interpretation is more likely, I think Nomen's view deserves a look - if only because savvy criminals have been known to use police scanners in the past.

Knowledge is power - and smart criminals know that, just as well as smart law-abiding citizens.

JananthaApril 12, 2008 10:28 AM

Its already implemented in Sri lanka as part of the CAP (Common Alert Protocol) for Tsunami Early Warning system.. and it works! :) thought US was ahead on this but I guess there not!

DaveCApril 13, 2008 6:55 PM

GSM does, or used to have, a little-known SMS "cell broadcast" mode where the same message could be delivered to any phone logged on to a given cell (tower) - compare with UDP multicast. It allows for a few hundred channel ids, and you could choose what to subscribe to using a menu on your phone.

Some UK networks used this in the late 80's and early 90's to deliver local news headlines and traffic alerts, plus defining which area codes constituted a "local call" for phones on plans where long distance had a different rate - the phones for those rate plans would show the relevant area codes in a row of smaller digits at the bottom of the screen (remember, 1990, no colour iPhones then :-)

I moved to the USA in 1998 and have never seen cell broadcast used here.

http://en.wikipedia.org/wiki/Cell_Broadcast

DaveCApril 13, 2008 7:00 PM

P.S. I currently have a Motorola RAZR v1 on T-Mobile USA, and the software load supplied by T-Mobile (which they patch about once every 2 weeks by download) does not even include menu options for setting cell broadcast subscriptions.

GingihanApril 13, 2008 11:36 PM

The plus side of SMS is that this kind of message lingers on on the recipients phone.
Any public system that relies on voice calls risks missing the times when a user is unavailable.
Akban teams participating in anual desert events leave SMS messages to each other and these are collected, even after days, when a team is on a mountain top and can receive signal.

The only improvement I would like to see is the ability to know when and if a recipient read the SMS.

In cases of public emergency responsible parties would be able to know the exact percentage and even identity of recipients who did not get the message.

GlynApril 15, 2008 8:40 AM

They bloody well better make sure that I'm not _charged_ for this. My carrier (Sprint) charges $0.20 per message if you don't have a text message plan (which I do not have because my messages are only international, and their plans don't include that.).

That is why SMS spam has not taken off yet - because people will really hit the roof when they are spammed and then charged to receive it. I'm still amazed that junk faxes are allowd.

John S BattistaApril 15, 2008 10:05 AM

As I understand it, you pay some $$ for getting a text message, and if they start bulk-messaging, this could be bad and good at the same time.

Bad because people will get charges they dont' want...

but it might be good too. Why?

Because this might move to make text messaging free, if the carriers decide to take money for the rights to message from SMS advertisers. This means free text messaging, and possibly, in the way the internet is made free by advertisement, there could be text devices offered cheaply without having to get a cell phone and a service contract. The "cost" is putting up with spam the way we put up with it in our free email accounts (or email that does not cost us each time).

Yes I can see an opportunity for abuse here, but I see a lot of people with great cell phones and more advanced devices who do nothing more than text messaging. Why pay $100 or more a month and be locked in a contract for 1-2 years just for text messaging? And we can handle it the same way we handle bulk email and spam (filter it!).

There is always bad and good with everything technical.

dragonfrogApril 17, 2008 10:08 AM

Does anyone recall the paper a while ago about executing a medium-duration DoS on a cellphone network? It used precisely this technique - sending SMS messages to users concentrated in a geographic region.

The problem is that the cellphone system uses SMS signalling to send rings and tell the phones to connect on a particular voice channel. By flooding the SMS channel (singular) of a manageable set of transmitters, the authors came up with some calculations of the Internet bandwidth required to disable calling to and from geographic regions of various sizes, for various times. The short answer - it wouldn't take much...

DukeMay 7, 2008 1:55 AM

Its funny, I was at a security conference last year. A man who worked close with the technologies of the cellular network spoke of one such flaw in their system that wont be fixed anytime soon. If they implemented this system it could have dire effects on the system. Most likely any large cities would have to upgrade to even handle such a thing. Hopefully terrorists never figure out how to take down our cellular networks -_- I wonder who would take the blame if they did. All these companies know about the problem with sms too... they just don't have a need to fix it.

AnonymousMay 7, 2008 1:56 AM

Its funny, I was at a security conference last year. A man who worked close with the technologies of the cellular network spoke of one such flaw in their system that wont be fixed anytime soon. If they implemented this system it could have dire effects on the system. Most likely any large cities would have to upgrade to even handle such a thing. Hopefully terrorists never figure out how to take down our cellular networks -_- I wonder who would take the blame if they did. All these companies know about the problem with sms too... they just don't have a need to fix it.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..