 |
 |
 |
|||||
While doing research on sending SMS text messages from my computer, I came across the UCP protocol definition. It gives you the possibility to set your sending phone number, but it doesn't check for validity. E-mail knows a similar flaw, and it's widely used to spam people. The possibility to fake your sender id for SMS text messages is not widely known however.
When you have a standard modem in your computer, you can send SMS text messages to a mobile phone from it. You dial in to an SMS service center, and talk a certain protocol. There are basically three protocol variants: SMPP, TAP and UCP. The latter is used by KPN, which is a telecom operator here in The Netherlands.
I wrote a small program that talks UCP to KPN's SMS service center, and quickly found that you can supply your own 'from' phone number. There is no check to see whether this number actually belongs to you, and so you can easily fake it. Of course I'm not the first to find this flaw, but I don't think it's known to the public either. Spam by SMS is becoming an increasingly big issue, and this flaw gives SMS spammers even more opportunity.
...but it also opens up a world of fun!
I had the best time sending fake messages to my colleague. He's a real iPhone fanatic, you know: jailbreaking and the works. I started sending him SMS text messages with the from number being '1337', and the messages being like 'L0L - I ownz ya iFone!! Thaz wh4z ya get for illegal unl0ck1ng y4 n00b'. After that the messages were about people in his contact list, claiming I had full access to each and every contact in his phone. The best part was me sending him a fake message supposedly coming from one of his contacts (that we both knew), with a message saying 'I get all kinds of strange calls from a guy'. When he worriedly started posting on a tech forum, I thought it was time break it to him. He took it like a sport, and we all had a good laugh! Just another fun day in the office!
Jurrie Overgoor, R&D 2go-mobile B.V.
|
|||||||
 |
 |
 |
