Entries Tagged "SMS"

Page 1 of 2

Eavesdropping on SMS Messages inside Telco Networks

Fireeye reports on a Chinese-sponsored espionage effort to eavesdrop on text messages:

FireEye Mandiant recently discovered a new malware family used by APT41 (a Chinese APT group) that is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft. Named MESSAGETAP, the tool was deployed by APT41 in a telecommunications network provider in support of Chinese espionage efforts. APT41’s operations have included state-sponsored cyber espionage missions as well as financially-motivated intrusions. These operations have spanned from as early as 2012 to the present day. For an overview of APT41, see our August 2019 blog post or our full published report.

Yet another example that demonstrates why end-to-end message encryption is so important.

Posted on November 7, 2019 at 6:05 AMView Comments

Perverse Vulnerability from Interaction between 2-Factor Authentication and iOS AutoFill

Apple is rolling out an iOS security usability feature called Security code AutoFill. The basic idea is that the OS scans incoming SMS messages for security codes and suggests them in AutoFill, so that people can use them without having to memorize or type them.

Sounds like a really good idea, but Andreas Gutmann points out an application where this could become a vulnerability: when authenticating transactions:

Transaction authentication, as opposed to user authentication, is used to attest the correctness of the intention of an action rather than just the identity of a user. It is most widely known from online banking, where it is an essential tool to defend against sophisticated attacks. For example, an adversary can try to trick a victim into transferring money to a different account than the one intended. To achieve this the adversary might use social engineering techniques such as phishing and vishing and/or tools such as Man-in-the-Browser malware.

Transaction authentication is used to defend against these adversaries. Different methods exist but in the one of relevance here — which is among the most common methods currently used — the bank will summarise the salient information of any transaction request, augment this summary with a TAN tailored to that information, and send this data to the registered phone number via SMS. The user, or bank customer in this case, should verify the summary and, if this summary matches with his or her intentions, copy the TAN from the SMS message into the webpage.

This new iOS feature creates problems for the use of SMS in transaction authentication. Applied to 2FA, the user would no longer need to open and read the SMS from which the code has already been conveniently extracted and presented. Unless this feature can reliably distinguish between OTPs in 2FA and TANs in transaction authentication, we can expect that users will also have their TANs extracted and presented without context of the salient information, e.g. amount and destination of the transaction. Yet, precisely the verification of this salient information is essential for security. Examples of where this scenario could apply include a Man-in-the-Middle attack on the user accessing online banking from their mobile browser, or where a malicious website or app on the user’s phone accesses the bank’s legitimate online banking service.

This is an interesting interaction between two security systems. Security code AutoFill eliminates the need for the user to view the SMS or memorize the one-time code. Transaction authentication assumes the user read and approved the additional information in the SMS message before using the one-time code.

Posted on June 20, 2018 at 6:51 AMView Comments

Paris Terrorists Used Double ROT-13 Encryption

That is, no encryption at all. The Intercept has the story:

Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted.

European media outlets are reporting that the location of a raid conducted on a suspected safe house Wednesday morning was extracted from a cellphone, apparently belonging to one of the attackers, found in the trash outside the Bataclan concert hall massacre. Le Monde reported that investigators were able to access the data on the phone, including a detailed map of the concert hall and an SMS messaging saying “we’re off; we’re starting.” Police were also able to trace the phone’s movements.

The obvious conclusion:

The reports note that Abdelhamid Abaaoud, the “mastermind” of both the Paris attacks and a thwarted Belgium attack ten months ago, failed to use encryption whatsoever (read: existing capabilities stopped the Belgium attacks and could have stopped the Paris attacks, but didn’t). That’s of course not to say batshit religious cults like ISIS don’t use encryption, and won’t do so going forward. Everybody uses encryption. But the point remains that to use a tragedy to vilify encryption, push for surveillance expansion, and pass backdoor laws that will make everybody less safe — is nearly as gruesome as the attacks themselves.

And what is it about this “mastermind” label? Why do we have to make them smarter than they are?

EDITED TO ADD: More information.

EDITED TO ADD: My previous blog post on this.

Posted on November 18, 2015 at 3:35 PMView Comments

TYPHON HX: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//FVEY) Base Station Router – Network-In-a-Box (NIB) supporting GSM bands 850/900/1800/1900 and associated full GSM signaling and call control.

(S//SI//FVEY) Tactical SIGINT elements use this equipment to find, fix and finish targeted handset users.

(S//SI) Target GSM handset registers with BSR unit.

(S//SI) Operators are able to geolocate registered handsets, capturing the user.

(S//SI//REL) The macro-class Typhon is a Network-In-a-Box (NIB), which includes all the necessary architecture to support Mobile Station call processing and SMS messaging in a stand-alone chassis with a pre-provisioning capability.

(S//SI//REL) The Typhon system kit includes the amplified Typhon system, OAM&P Laptop, cables, antennas and AD/DC power supply.

(U//FOUO) An 800 WH LiIon Battery kit is offered separately.

(U) A bracket and mounting kit are available upon request.

(U) Status: Available 4 mos ARO

(S//SI//REL) Operational Restrictions exist for equipment deployment.

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on March 3, 2014 at 2:19 PMView Comments

CANDYGRAM: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station’s area of influence, the system sends out an SMS through the external network to registered watch phones.

(S//SI//REL) Typical use scenarios are asset validation, target tracking and identification as well as identifying hostile surveillance units with GSM handsets. Functionality is predicated on apriori target information.

(S//SI//REL) System HW

  • GPS processing unit
  • Tri-band BTS radio
  • Windows XP laptop and cell phone*
  • 9″ wide x 12″ long x 2″ deep
  • External power (9-30 VDC).

*Remote control software can be used with any connected to the laptop (used for communicating with the CANDYGRAM unit through text messages (SMS).

(S//SI//REL) SW Features

  • Configurable 200 phone number target deck.
  • Network auto-configuration
  • Area Survey Capability
  • Remote Operation Capability
  • Configurable Network emulation
  • Configurable RF power level
  • Multi-Units under single C&C
  • Remote restart
  • Remote erasure (not field recoverable)

Status: Available 8 mos ARO

Unit Cost: approx $40K

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 20, 2014 at 2:11 PMView Comments

TOTEGHOSTLY 2.0: NSA Exploit of the Day

Today’s item from the NSA’s Tailored Access Operations (TAO) group implant catalog:


(TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture.

(TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile operating system that utilizes modular mission applications to provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. A FRIEZERAMP interface using HTTPSlink2 transport module handles encrypted communications.

(TS//SI//REL) The initial release of TOTEGHOSTLY 2.0 will focus on installing the implant via close access methods. A remote installation capability will be pursued for a future release.

(TS//SI//REL) TOTEGHOSTLY 2.0 will be controlled using an interface tasked through the NCC (Network Control Center) utilizing the XML based tasking and data forward scheme under the TURBULENCE architecture following the TAO GENIE Initiative.

Unit Cost: $0

Status: (U) In development

Page, with graphics, is here. General information about TAO and the catalog is here.

In the comments, feel free to discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on.

Posted on February 19, 2014 at 2:18 PMView Comments

NSA Collects Hundreds of Millions of Text Messages Daily

No surprise here. Although we learned some new codenames:

  • DISHFIRE: The NSA’s program to collect text messages and text-message metadata.
  • PREFER: The NSA’s program to perform automatic analysis on the text-message data and metadata.

The documents talk about not just collecting chatty text messages, but vCards, SIM card changes, missed calls, roaming information indicating border crossings, travel itineraries, and financial transactions.

Posted on January 17, 2014 at 5:32 AMView Comments

Text Message Retention Policies

The FBI wants cell phone carriers to store SMS messages for a long time, enabling them to conduct surveillance backwards in time. Nothing new there — data retention laws are being debated in many countries around the world — but this was something I did not know:

Wireless providers’ current SMS retention policies vary. An internal Justice Department document (PDF) that the ACLU obtained through the Freedom of Information Act shows that, as of 2010, AT&T, T-Mobile, and Sprint did not store the contents of text messages. Verizon did for up to five days, a change from its earlier no-logs-at-all position, and Virgin Mobile kept them for 90 days. The carriers generally kept metadata such as the phone numbers associated with the text for 90 days to 18 months; AT&T was an outlier, keeping it for as long as seven years.

An e-mail message from a detective in the Baltimore County Police Department, leaked by Antisec and reproduced in a 2011 Wired article, says that Verizon keeps “text message content on their servers for 3-5 days.” And: “Sprint stores their text message content going back 12 days and Nextel content for 7 days. AT&T/Cingular do not preserve content at all. Us Cellular: 3-5 days Boost Mobile LLC: 7 days”

That second set of data is from 2009.

Leaks seems to be the primary way we learn how our privacy is being violated these days — we need more of them.

EDITED TO ADD (4/12): Discussion of Canadian policy.

Posted on March 21, 2013 at 1:17 PMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.