SHORT MESSAGE SERVICE SECURITY



Similar documents
INSTANT MESSAGING SECURITY

WEB ATTACKS AND COUNTERMEASURES

THE CHALLENGES OF DATA SECURITY IN THE MODERN OFFICE

COSC 472 Network Security

How To Manage Web Content Management System (Wcm)

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Secure Frequently Asked Questions

PEER-TO-PEER NETWORK

VOICE OVER IP SECURITY

Wakefield Council Secure and file transfer User guide for customers, partners and agencies

Brainloop Cloud Security

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Guidelines for Account Management and Effective Usage

Secure User Guide

Electronic business conditions of use

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

MUNICIPAL WIRELESS NETWORK

WEB SERVICES SECURITY

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

User guide Business Internet features

Secur User Guide

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

How To Use A College Computer System Safely

QuotePower International Limited

Guidance for Data Users on the Collection and Use of Personal Data through the Internet 1

Nova ADSL Broadband Service Application Form

PASSWORD MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Avaya G700 Media Gateway Security - Issue 1.0

Optus SMS for MS Outlook and Lotus Notes

USER GUIDE. General Information The BeAnywhere Service BeAnywhere Server BeAnywhere DRIVE Security... 2

Terms and Conditions for Online Services of BOC Credit Card (International) Limited

BOC Credit Card (International) Limited - Terms and Conditions for Online Services

Cyber Security Awareness

Information Security Basic Concepts

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Trust Digital Best Practices

Cyber Security Awareness

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

redcoal SMS for MS Outlook and Lotus Notes

Network Security - ISA 656 Review

AN OVERVIEW OF VULNERABILITY SCANNERS

IT OUTSOURCING SECURITY

Content Teaching Academy at James Madison University

The Benefits of SSL Content Inspection ABSTRACT

Chapter 17. Transport-Level Security

Welcome to the Protecting Your Identity. Training Module

The Bishop s Stortford High School Internet Use and Data Security Policy

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

ORANGE REGIONAL MEDICAL CENTER Hospital Wide Policy/Procedure

SECURING INFORMATION SYSTEMS

Best Practices Guide to Electronic Banking

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

PrivyLink Internet Application Security Environment *

Top tips for improved network security

OKPAY guides. Security Guide

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

(U)SimMonitor: A New Malware that Compromises the Security of Cellular Technology and Allows Security Evaluation

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

The Ministry of Information & Communication Technology MICT

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

REVIEW ON RISING RISKS AND THREATS IN NETWORK SECURITY

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Issue 2EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Countermeasures against Bots

When you listen to the news, you hear about many different forms of computer infection(s). The most common are:

Federal Trade Commission Privacy Impact Assessment

Network Security Protocols

Three attacks in SSL protocol and their solutions

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Infocomm Sec rity is incomplete without U Be aware,

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

Mobile Office Security Requirements for the Mobile Office

Avaya TM G700 Media Gateway Security. White Paper

Best Practice Guide (SSL Implementation) for Mobile App Development 最 佳 行 事 指 引. Jointly published by. Publication version 1.

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Policy Of Government of India

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Chap. 1: Introduction

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

How to complete the Secure Internet Site Declaration (SISD) form

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Spring Hill State Bank Mobile Banking FAQs

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Policy Based Encryption E. Administrator Guide

Policy Based Encryption E. Administrator Guide

Security Policy Revision Date: 23 April 2009

Transcription:

SHORT MESSAGE SERVICE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express permission of the Government of the HKSAR. Disclaimer: Whilst the Government endeavours to ensure the accuracy of the information in this paper, no express or implied warranty is given by the Government as to the accuracy of the information. The Government of HKSAR accepts no liability for any error or omission arising from or related to the use of the information.

TABLE OF CONTENTS Summary... 2 I. Introduction... 3 What is Short Message Service (SMS)?... 3 Business Trends... 4 II. SMS Security... 6 The Basics of SMS Security... 6 SMS Security Threats... 7 SMS Security Considerations... 9 III. Conclusion... 12 Short Message Service Security Page 1 of 12

SUMMARY Short Message Service (SMS) has become a very popular way for mobile phone users to send and receive simple text messages to each other using mobile phones and portable devices. With SMS, users could send to or receive from a single person, or several persons, personal messages, email notifications, information services, job dispatches, stock alerts and so on. With the advent of more powerful PDA-like mobile devices that come with sharper screens and convenient text input methods, SMS is now more and more common among mobile phone users. This paper provides a basic overview of SMS, and discusses the security issues around the use of SMS. Short Message Service Security Page 2 of 12

I. INTRODUCTION WHAT IS SHORT MESSAGE SERVICE (SMS)? SMS provides a convenient means for people to communicate with each other using text messages via mobile devices or Internet connected computers. Each message can contain at most 140 bytes (1120 bits) of data, the equivalent of up to 160 English characters, or 70 Chinese characters. Solutions for e-marketers are available to deliver bulk SMS messages 1 to a large group of people, instead of sending SMS messages one by one manually. Other utilities can collect phone numbers from imported text files or contact information stored in mobile phones. A Short Message Service Centre (SMSC), usually owned and run by a telecommunication operator, is responsible for the routing and delivery of SMS. When a SMS message is delivered to the SMSC, a store-and-forward message mechanism is implemented, whereby the message is temporarily stored, then forwarded to the recipient s phone when the recipient device is available. Similar to email messages, a SMS message may pass through a number of SMSC or other SMS gateways (which act as bridges between two or more SMSCs running different SMSC protocols 2 ) before reaching the recipient s device. An SMSC helps route SMS messages and manage the process. If the intended SMS recipient is not online, the SMSC will keep the stored SMS message for a validity period before deleting it from storage. 1 http://www.sendgroupsms.com/ 2 http://www.developershome.com/sms/sms_tutorial.asp?page=smsgateway Short Message Service Security Page 3 of 12

BUSINESS TRENDS SMS is a popular communication channel. On certain special days of the year, such as New Year Day or Valentine s Day, SMS usage volume can increase dramatically. According to statistics from the Office of the Telecommunications Authority (OFTA), there were around 15 million SMS messages sent on New Year Day 2007, a 55% increase over the number in 2006 3. Short messages are now used for both personal and business communications. Some common examples are: 1. Alerts and notifications to customers by stock brokers and banks on stock transaction status, credit card holders from credit card companies for high-risk transactions, system administrators in some organisations if critical events occur in IT systems, and so on. 2. One-time passwords being sent to the customers of banks or organisations via SMS messages for authorising or confirming high-risk on-line transactions. With this one-time password, the customers can be authenticated by the on-line transaction system before transactions are completed. 3. Two-way interactive text messaging used by people for chatting and gossiping via their mobile phones, or E-Marketers who provide a convenient means for target customers to respond and request products or services such as downloadable ringtones or wallpapers via an encoded object in the SMS message. 3 http://www.ofta.gov.hk/en/datastat/sms.pdf Short Message Service Security Page 4 of 12

In Hong Kong, sending bulk SMS messages is governed under regulations in the Unsolicited Electronic Messages Ordinance (UEMO) 4. 4 http://www.ofta.gov.hk/en/uem/main.html Short Message Service Security Page 5 of 12

II. SMS SECURITY THE BASICS OF SMS SECURITY The technical specifications for SMS are laid down in ETSI TS 03.48 5. Certain options in the technical specification, such as the Security Parameter Index (SPI), the Ciphering Key Identifier (KIc), and the Integrity Value (RC/CC/DS), provide specifications for available security parameters. A Redundancy Check (RC), Cryptographic Checksum (CC) or Digital Signature (DS) might also be used for integrity verification of the data. However, these confidentiality and integrity mechanisms are only specified as optional security measures that can be made available, but they are not mandatory requirements for SMS system implementation 6. The availability of SMS services may also be interrupted by the SMSC. Without proper implementation of these SMS security options, everyday SMS messages transmitted on a network are only protected by the communication network itself such as a GSM network. In practical use, SMS messages are not encrypted by default during transmission. A cyclic redundancy check is provided for SMS information passing across the signalling channel to ensure short messages do not get corrupted. Forward error protection is also incorporated using conventional encoding. Cryptographic protection on confidentiality and integrity is not available for SMS messages. 5 http://www.3gpp.org/ftp/specs/archive/03_series/03.48/ 6 http://stinet.dtic.mil/oai/oai?verb=getrecord&metadataprefix=html&identifier=ada462720 Short Message Service Security Page 6 of 12

As mentioned, each short message has a validity period whereby temporary storage is provided by the SMSC if the SMS message cannot be delivered to the intended recipient(s) successfully. The SMSC will delete stored SMS messages if they cannot deliver a message within the validity period. After a message is deleted, the intended recipient(s) will not be able to receive the original message. Usually this can happen if the recipient is not in the SMS coverage area, such as during a business trip out of the country. SMS SECURITY THREATS Understanding the basics of SMS security opens the door to preventing some common security threats in SMS usage and implementation: Message Disclosure Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission. In addition, SMS messages are stored as plain text by the SMSC before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy 7 enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis. 7 http://www.flexispy.com/news-flexispy-blackberry-windows-mobile.htm Short Message Service Security Page 7 of 12

Spamming While e-marketers are using SMS as a legitimate marketing channel, many people have had the inconvenience of receiving SMS spam. The availability of bulk SMS broadcasting utilities makes it easy for virtually everyone to send out mass SMS messages. Flooding / Denial of Service (DoS) Attacks Flooding or DoS attacks are made possible by sending repeated messages to a target mobile phone, making the victim s mobile phone inaccessible. Studies also show that weaknesses in the SMS protocol could be exploited to launch a DoS attack on a cellular phone network. For example, it was found that sending 165 text messages a second was enough to disrupt all the cell phones in Manhattan 8. SMS Phone Crashes Some vulnerable mobile phones may crash if they receive a particular type of malformed short message. Once a malformed message is received, the infected phone becomes inoperable. Media reports have shown that mobile phones are vulnerable to this type of attack 9. 8 http://www.schneier.com/blog/archives/2005/10/sms_denialofser_1.html 9 http://www.theregister.co.uk/2001/12/06/sms_phone_crash_exploit/ Short Message Service Security Page 8 of 12

SMS Viruses There have been no reports of viruses being attached to short messages, but as mobile phones are getting more powerful and programmable, the potential of viruses being spread through SMS is becoming greater. In addition, the ability of SIM application toolkits that allows applications to access the dialling functions and phone book entries, might make SMS suitable platform for spreading self-replicating virus. SMiShing (SMS Phishing) SMiShing 10 is a combination of SMS and phishing. Similar to an Internet phishing attack using email, attackers are attempting to fool mobile phone users with bogus text messages 11. When users are taken in by a bogus text message, they may connect to a website provided in the SMS message, and be tricked into download a malware application into their mobile phones. SMS SECURITY CONSIDERATIONS 10 http://searchmobilecomputing.techtarget.com/originalcontent/0,289142,sid40_gci1214281,00.html 11 http://www.vnunet.com/vnunet/news/2163586/sms-phishing-attack-seen-wild Short Message Service Security Page 9 of 12

To avoid security threats to SMS, users are advised to follow the following common precautions: Message Transmission When sending SMS messages via a web browser, security protection should be in place to prevent message disclosure, such as using Secure Socket Layer (SSL) to secure the transmission. For those applications that require secure transmission of a message, such as mobile banking, end-to-end encryption is advisable between the sender and the recipient. These transactional systems should have the end-to-end security built-in. For person-to-person communications, products such as CryptoSMS 12 are available to help users encrypt SMS communications using strong encryption algorithms. This can help protect against possible SMS interception threats. Storage Protection In the case of large-scale SMS broadcasts, customer mobile phone contact lists should be kept confidential and properly protected from disclosure. As contact lists are considered personal data, proper protection should be implemented in accordance with privacy laws and regulations. 12 http://cryptosms.com/protect.html Short Message Service Security Page 10 of 12

User authentication User login IDs and passwords should be used to authenticate users on web-based SMS services when sending short messages. User login IDs and passwords should not be disclosed to others. For secure transactions, user authentication should be protected by SSL. Protection of PCs for sending messages When sending short messages to an SMS gateway via the Internet, it is not advisable to use a public Internet terminal. If desktop utilities are used to send out SMS messages, the PC used to send the message should not be left unattended. Short Message Service Security Page 11 of 12

III. CONCLUSION SMS is now a very common communication tool. Security protection of SMS messages is not yet that sophisticated and difficult to implement in practice. With the increasing use of SMS for communication and information exchange, care should be taken when sensitive information is transmitted using SMS. Users should be aware that SMS messages might be subject to interception. Solutions such as encrypted SMS should be considered if there is a need to send sensitive information via SMS. Short Message Service Security Page 12 of 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information