< March 2006 >
    1 2 3 4
5 6 7 8 91011
Tue, 07 Mar 2006:

I used to work on a mobile phone product. Once you start sitting down and reading through the various specs around, you start to realize that most basic designs for mobile phone protocols were built more like the internet was. If you've read The Art of Deception which talks about something called Speakeasy security. The concept dates from the prohibition era in the US, where if you showed up at the right place and spoke the right lingo, you were in. So let's apply the same theories here (no code here).

the place: SMSc numbers aren't that hard to find. In fact, they are published and exchanged between the cellphone companies for routing. For example, Airtel Karnataka's SMSc would be 98450 870xx *. You can easily check it with a simple AT command.


< +CSCA="+9198450870xx",145
< OK

secret knock: you need to see if this allows you to call up directly. To send an SMS with a fake sender, you need to be able to access it using the EMI/UCP protocol. The specification has provision for login operations, but few SMSC's actually enable strict authentication.

right lingo: You could mess around with Net::EMI::Client perl script to generate all your PDU data. Otherwise that protocol is just padding hell to generate easily. Technically it is child's play to actually dial out to the SMSc push out the PDU you want and then just wait for people to get messages with *interesting* sender numbers (42-31337-31337, anyone ?).

All this is common knowledge in the GSM services world. You just need to know what to look for and then a few bits & peices on how to use it with a desktop.

The reader this message encounters not failing to understand is cursed.

posted at: 16:44 | path: /hacks | permalink | Tags: ,