SHORT MESSAGE SERVICE SECURITY

Transcription

1 SHORT MESSAGE SERVICE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express permission of the Government of the HKSAR. Disclaimer: Whilst the Government endeavours to ensure the accuracy of the information in this paper, no express or implied warranty is given by the Government as to the accuracy of the information. The Government of HKSAR accepts no liability for any error or omission arising from or related to the use of the information.

2 TABLE OF CONTENTS Summary... 2 I. Introduction... 3 What is Short Message Service (SMS)?... 3 Business Trends... 4 II. SMS Security... 6 The Basics of SMS Security... 6 SMS Security Threats... 7 SMS Security Considerations... 9 III. Conclusion Short Message Service Security Page 1 of 12

3 SUMMARY Short Message Service (SMS) has become a very popular way for mobile phone users to send and receive simple text messages to each other using mobile phones and portable devices. With SMS, users could send to or receive from a single person, or several persons, personal messages, notifications, information services, job dispatches, stock alerts and so on. With the advent of more powerful PDA-like mobile devices that come with sharper screens and convenient text input methods, SMS is now more and more common among mobile phone users. This paper provides a basic overview of SMS, and discusses the security issues around the use of SMS. Short Message Service Security Page 2 of 12

4 I. INTRODUCTION WHAT IS SHORT MESSAGE SERVICE (SMS)? SMS provides a convenient means for people to communicate with each other using text messages via mobile devices or Internet connected computers. Each message can contain at most 140 bytes (1120 bits) of data, the equivalent of up to 160 English characters, or 70 Chinese characters. Solutions for e-marketers are available to deliver bulk SMS messages 1 to a large group of people, instead of sending SMS messages one by one manually. Other utilities can collect phone numbers from imported text files or contact information stored in mobile phones. A Short Message Service Centre (SMSC), usually owned and run by a telecommunication operator, is responsible for the routing and delivery of SMS. When a SMS message is delivered to the SMSC, a store-and-forward message mechanism is implemented, whereby the message is temporarily stored, then forwarded to the recipient s phone when the recipient device is available. Similar to messages, a SMS message may pass through a number of SMSC or other SMS gateways (which act as bridges between two or more SMSCs running different SMSC protocols 2 ) before reaching the recipient s device. An SMSC helps route SMS messages and manage the process. If the intended SMS recipient is not online, the SMSC will keep the stored SMS message for a validity period before deleting it from storage Short Message Service Security Page 3 of 12

5 BUSINESS TRENDS SMS is a popular communication channel. On certain special days of the year, such as New Year Day or Valentine s Day, SMS usage volume can increase dramatically. According to statistics from the Office of the Telecommunications Authority (OFTA), there were around 15 million SMS messages sent on New Year Day 2007, a 55% increase over the number in Short messages are now used for both personal and business communications. Some common examples are: 1. Alerts and notifications to customers by stock brokers and banks on stock transaction status, credit card holders from credit card companies for high-risk transactions, system administrators in some organisations if critical events occur in IT systems, and so on. 2. One-time passwords being sent to the customers of banks or organisations via SMS messages for authorising or confirming high-risk on-line transactions. With this one-time password, the customers can be authenticated by the on-line transaction system before transactions are completed. 3. Two-way interactive text messaging used by people for chatting and gossiping via their mobile phones, or E-Marketers who provide a convenient means for target customers to respond and request products or services such as downloadable ringtones or wallpapers via an encoded object in the SMS message. 3 Short Message Service Security Page 4 of 12

6 In Hong Kong, sending bulk SMS messages is governed under regulations in the Unsolicited Electronic Messages Ordinance (UEMO) Short Message Service Security Page 5 of 12

7 II. SMS SECURITY THE BASICS OF SMS SECURITY The technical specifications for SMS are laid down in ETSI TS Certain options in the technical specification, such as the Security Parameter Index (SPI), the Ciphering Key Identifier (KIc), and the Integrity Value (RC/CC/DS), provide specifications for available security parameters. A Redundancy Check (RC), Cryptographic Checksum (CC) or Digital Signature (DS) might also be used for integrity verification of the data. However, these confidentiality and integrity mechanisms are only specified as optional security measures that can be made available, but they are not mandatory requirements for SMS system implementation 6. The availability of SMS services may also be interrupted by the SMSC. Without proper implementation of these SMS security options, everyday SMS messages transmitted on a network are only protected by the communication network itself such as a GSM network. In practical use, SMS messages are not encrypted by default during transmission. A cyclic redundancy check is provided for SMS information passing across the signalling channel to ensure short messages do not get corrupted. Forward error protection is also incorporated using conventional encoding. Cryptographic protection on confidentiality and integrity is not available for SMS messages Short Message Service Security Page 6 of 12

8 As mentioned, each short message has a validity period whereby temporary storage is provided by the SMSC if the SMS message cannot be delivered to the intended recipient(s) successfully. The SMSC will delete stored SMS messages if they cannot deliver a message within the validity period. After a message is deleted, the intended recipient(s) will not be able to receive the original message. Usually this can happen if the recipient is not in the SMS coverage area, such as during a business trip out of the country. SMS SECURITY THREATS Understanding the basics of SMS security opens the door to preventing some common security threats in SMS usage and implementation: Message Disclosure Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission. In addition, SMS messages are stored as plain text by the SMSC before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy 7 enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis. 7 Short Message Service Security Page 7 of 12

9 Spamming While e-marketers are using SMS as a legitimate marketing channel, many people have had the inconvenience of receiving SMS spam. The availability of bulk SMS broadcasting utilities makes it easy for virtually everyone to send out mass SMS messages. Flooding / Denial of Service (DoS) Attacks Flooding or DoS attacks are made possible by sending repeated messages to a target mobile phone, making the victim s mobile phone inaccessible. Studies also show that weaknesses in the SMS protocol could be exploited to launch a DoS attack on a cellular phone network. For example, it was found that sending 165 text messages a second was enough to disrupt all the cell phones in Manhattan 8. SMS Phone Crashes Some vulnerable mobile phones may crash if they receive a particular type of malformed short message. Once a malformed message is received, the infected phone becomes inoperable. Media reports have shown that mobile phones are vulnerable to this type of attack Short Message Service Security Page 8 of 12

10 SMS Viruses There have been no reports of viruses being attached to short messages, but as mobile phones are getting more powerful and programmable, the potential of viruses being spread through SMS is becoming greater. In addition, the ability of SIM application toolkits that allows applications to access the dialling functions and phone book entries, might make SMS suitable platform for spreading self-replicating virus. SMiShing (SMS Phishing) SMiShing 10 is a combination of SMS and phishing. Similar to an Internet phishing attack using , attackers are attempting to fool mobile phone users with bogus text messages 11. When users are taken in by a bogus text message, they may connect to a website provided in the SMS message, and be tricked into download a malware application into their mobile phones. SMS SECURITY CONSIDERATIONS Short Message Service Security Page 9 of 12

11 To avoid security threats to SMS, users are advised to follow the following common precautions: Message Transmission When sending SMS messages via a web browser, security protection should be in place to prevent message disclosure, such as using Secure Socket Layer (SSL) to secure the transmission. For those applications that require secure transmission of a message, such as mobile banking, end-to-end encryption is advisable between the sender and the recipient. These transactional systems should have the end-to-end security built-in. For person-to-person communications, products such as CryptoSMS 12 are available to help users encrypt SMS communications using strong encryption algorithms. This can help protect against possible SMS interception threats. Storage Protection In the case of large-scale SMS broadcasts, customer mobile phone contact lists should be kept confidential and properly protected from disclosure. As contact lists are considered personal data, proper protection should be implemented in accordance with privacy laws and regulations Short Message Service Security Page 10 of 12

12 User authentication User login IDs and passwords should be used to authenticate users on web-based SMS services when sending short messages. User login IDs and passwords should not be disclosed to others. For secure transactions, user authentication should be protected by SSL. Protection of PCs for sending messages When sending short messages to an SMS gateway via the Internet, it is not advisable to use a public Internet terminal. If desktop utilities are used to send out SMS messages, the PC used to send the message should not be left unattended. Short Message Service Security Page 11 of 12

13 III. CONCLUSION SMS is now a very common communication tool. Security protection of SMS messages is not yet that sophisticated and difficult to implement in practice. With the increasing use of SMS for communication and information exchange, care should be taken when sensitive information is transmitted using SMS. Users should be aware that SMS messages might be subject to interception. Solutions such as encrypted SMS should be considered if there is a need to send sensitive information via SMS. Short Message Service Security Page 12 of 12