So the complaint is that no one tells the world about the insecurity of text messages. And the blame is laid on a network provider.
This is wrong. First of all I think it's a bad idea to jump on the (valid!) privacy complaint against O2 in the UK with this unrelated thing. Second, as many pointed out already: This is not a problem of any carrier.
So your peers are surprised if you send a text message from their mum's number? Sure, understandable and maybe that needs to be fixed. But your carrier is not responsible for that in my world, just as yahoo/google etc. cannot protect you from most spoofs in the mail world.
And - gasp! - you can do similar things with a call (ever noticed that Skype offers to call 'from your number'?).
If the article wouldn't hijack a real issue _and_ wouldn't blame the wrong target, then I think there's a valid point somewhere in there: We, the technical crowd, should find a way to educate people around us about inherent trust issues. But that should be a constructive project, not mud slinging.
So the complaint is that no one tells the world about the insecurity of text messages. And the blame is laid on a network provider.
Yes.
This is wrong.
I agree ;)
First of all I think it's a bad idea to jump on the (valid!) privacy complaint against O2 in the UK with this unrelated thing.
Unrelated in terms of technical differences but not in terms of the broader trend which is this: UK networks do not care enough about their customers' privacy and security. The Leveson enquiry, the O2 issue and the existence of SMS spoofing all prove that.
Second, as many pointed out already: This is not a problem of any carrier.
If Apple were a carrier, would they let this happen to their customers? I do not think so.
just as yahoo/google etc. cannot protect you from most spoofs in the mail world.
Yahoo maybe, Google tries pretty hard.
And - gasp! - you can do similar things with a call (ever noticed that Skype offers to call 'from your number'?).
Requires verification. This is not relevant.
If the article wouldn't hijack a real issue _and_ wouldn't blame the wrong target, then I think there's a valid point somewhere in there: We, the technical crowd, should find a way to educate people around us about inherent trust issues. But that should be a constructive project, not mud slinging.
In my opinion the real issue is that the networks do not care enough to fix lots of problems.
Regarding 'requiring verification': See my other post. I was certainly able to call using other people's number as source in the past. Can everyone and his mum? I - don't know. I highly doubt that Skype _needs_ (disregarding laws etc) to ask anyone.
But let's get to the bottom: How do you even fix this? See, you got a friend. His name's Bob. He has a girlfriend called Alice.. (okay, just kidding):
Friend is on vacation in Siberia. Wants to send a text message to his girlfriend. There's a valid scenario where a message travels from a remote (sorry to all people from Siberia) part of Europe to the UK - using a very simple protocol and (probably) going through a few hops.
Now your friend isn't in Siberia. Why is this now obviously spoofed? Because he is currently connected to your carrier? A kind of 'drop text messages from somewhere else if connected here' kind of policy? What if you know that he turns his phone off during the night? Store the last point of network access per user?
Text messages have a maximum life time (they are stored until either the time expires or the recipient receives and acks the messages). How would you make sure that this still works, looking at the use case above?
I just think that 'They don't care' is not a healthy thing to believe. You said elsewhere that you have to admit that you're not too familiar with the tech involved (and - I certainly don't claim to speak with authority either), but you outright claim that it can be fixed (I hope you agree that we're talking about 'with reasonable effort _and_ without breaking texting as it works today').
Sorry for not explaining the Apple reference in more detail. What I meant was I love Apple because they really care about their customers. They seem to give a damn. The networks do not.
Just look at this reply from the UK network Three:
I know that the loophole I found can be fixed. I am not prepared to explain it here because I want the networks to shut off the loopholes I do not know about, as well as the one I do.
I fail to follow. This seems to be the response to the (flawed? I guess we have to agree to disagree at this point) complaint in your blog.
Yes, there are sites that allow you to send text messages from other numbers, some trivial, some with an API. I claim it's a hard problem to "fix" this.
What kind of response would you have liked to get? It was fast, open/honest and correct. The last part is probably hand waiving, but my blood doesn't boil. I'd have answered the same, given a small character restriction.
This whole discussion gives longer explanations why this is the case in general.
If you aren't talking about a specific loophole _in their service_ then I think we're still discussing the same thing or - well - fail to understand each other.
Google and others can and do try to protect users from spoofing - in my opinion, every communication service provider should try to prevent their users from being misled by impersonators.
I'm not sure educating all users about the spoofability or otherwise of all existing communication systems is the way forward as a tech community - there's more we can do in terms of bolstering existing security and trying to validate/flag existing messages.
I've never enabled the ability to 'call from my number' for any services, so I would expect that others would be unable to spoof mine.
Google tries - but cannot. Ultimately it can only do the same dance that it does with spam. Learn, improve, tweak - and never succeed.
I think a general project to explain encryption/signing would be awesome. I'd _love_ to send mails to my bank, to the government etc. and have them be legally binding. I'm sure it could help against quite some amount of spam as well, if you understand that an address isn't to be trusted by default.
I .. don't get that last part. How do you think is the process of being able to authorize a 'from' number? Technically gazillion of services could probably do it. It's inherently simple if you are well-connected. Skype certainly doesn't need to ask you first and have a kind of exchange with you and your carrier that 'unlocks' their ability to use your number in an outgoing call. It's a policy that protects them from abuse (i.e. they care, because of legal implications and because of possible business impact if they'd abuse it). [1]
They don't need to get your ok though, if they don't want to.
1: This is based on a limited experience in my past, where I had (legal) access to an asterisk server with a nice trunk connection to a mobile carrier in DE. I certainly don't have extensive telecom knowledge, but got a glimpse at least.
>First of all I think it's a bad idea to jump on the (valid!) privacy complaint against O2 in the UK with this unrelated thing.
It's not unrelated.
Take a forum where you've registered your details - many people are more than happy to give out real name, mother's maiden name etc, but won't give out their mobile number. The forum can capture that number without you knowing and use that along with the info you've chosen to provide to send a valid looking SMS, both in terms of sender and content.
You try really hard to find a way to mix these (still unrelated) things in my opinion..
What would be the sender number of O2 here to make it look authentic? And if 'I can send you a text message spoofing to be O2 to collect your number' is related, should we now bash all mail providers (or - any particular?) because the very same connection can be artificially created for 'I can send you a mail spoofing to be from O2 to collect your number'?
One issue is a real privacy breach, is currently looked into according to the company and will hopefully be fixed. The other thing is a problem of a technology that wasn't designed with this problem in mind and that grew beyond anyone's expectations.
One is a bug, one is (for now and in most of this thread) a communication problem that obviously surprises a number of people.
I didn't try particularly hard at all. It's a pretty obvious consequence of the two.
It is already a problem for email, but most people are getting much more savvy with this and are mostly at least aware of the risk.
With SMS, it's not so common. So people are less likely to expec it, and (certainly in my experience) they are more trusting of an SMS that looks like it comes from a legit source, especially if it contains personal info about you.
This is partly because people are usually more wary of giving out their mobile number - I know that I've given it out to very few places, and most of them are ones that I trust. The O2 issue massively impacts this, as there's thousands of sites who now potentially have my number (and many of those will be linked to some personal info about me). But it's also partly because most people don't realise that you can spoof SMS headers this way - if you get a text message that claims to be from a particular number, most people assume that it came from that number.
I'm not making any comment on the cause of it (whether it's a bug or a design feature), or whether there's anyone to "blame" (and if so, who).
I'm simply pointing out that there is quite a significant overap between the two, as the combination creates a potential spammers' paradise.
This is not the fault of any one network; it's a fact of life when it comes to SMS. You can have all kinds of fun, whether it's messages that appear to be from you, your friend, or 11 characters of your choice, an SMS that will only display without being stored, or even a voicemail notification.
My lack of knowledge on this subject is evident here I am afraid. Is there not a way the networks could, like Google, try and detect spam or spoof messages?
Yes it can with reasonable accuracy, but it's a whack-a-mole game, because there is no standard, many attempts have been gamed successfully by spammers, not all email servers are configured to use the latest "practices" (since this gets expensive) and not all email clients are configured to use the latest practices because that would trigger many false positives.
I just did an experiment.
Using my local Postfix email server with the default settings, I just sent an email from bill.gates@microsoft.com to my GMail account. It arrived in my Inbox just fine. And I'm sure that if I sent this to dozens of people, then GMail would have flagged it, but it chose not to.
Somewhere else in this discussion someone compared it to peering, which is quite a good example.
You grant (read: sell) permission to other people to deliver text messages to your subscribers. The very same way you get a text message from carrier A while being a subscriber of carrier B. Now enter international territory. You interconnect with lots of networks, each of which can (in my experience services like that were often from/cheapest in eastern Europe) hand out access to more people to send on their behalf.
Google can only try to protect you in limited cases. Check if the mail says it is originated from Google and notice that it isn't (flags a lot of false positives, if you are a valid sender, sending in a non-standard way). Checking headers (easily forged for most parts). Things like SPF [1] where you, as the admin of a domain, can tell the world that really only host X sends mails on your behalf.
The world might not care though - and the burden is again not on your very own 'carrier' (Google here), but on everyone on this planet that runs a domain.
There might be other ways, but inherently this problem is unsolved. Unless you went to a key signing party and verify that the data you got was signed by the key that you _know_ belongs to the sender (and you trust him not to give it away. And you trust him not to lose control of it or at least revoke it).
But people don't know this. So they trust SMSs. Most banks will state "We will never email you", so people know not to trust emails from 'their bank'. However some banks use SMSs for authentication.
SMSs have much higher trust factor. After all, we have spam filters on email, but not on SMS.
Stop it how exactly? It's the same thing as with phone calls. Unless we migrate to some technology which involves signed, verifiable sources, there's nothing they can do about things like that. Once your telco approves that you can send out any number as source, you can send out any number as your source - they're the highest authority atm. Everything that happens between telcos on the wire is trusted since telcos trust each other.
There are valid use cases for that too of course - setting your presented id as the number of your company's reception, having a single number for incoming connections (or a group) but using multiple lines for calling out, etc.
You can probably ensure the account sending the traffic is closed since it's likely to break multiple local laws, but on the receiving side, there's nothing left to do.
I would have expected that the networks cross-reference the device an SMS was sent from (IMEI?) with the sender phone number claimed in the message. I don't think that's unreasonable, but Richard seems to have found that this basic check isn't being performed here.
Are you so keen to see a system remain with this insecurity just because you have a fundamental belief that perfect security isn't possible? Most if not all security is a case of shades of gray, and there's clearly a lot that could be improved here by the network.
Why do you assume that SMS messages come only from phones having an IMEI? Not only IMEI can be changed at will and is not connected to the phone number, you can send messages from a service which has legitimate reason to send the message as you. That's possible by design.
It's not that I believe that perfect security isn't possible. I believe that this issue cannot be fixed in any reasonable way without redoing most of how the current system works. I did some telephony-related work and I don't see any way this kind of limitation can be put on top of our current networks (both regarding sms and phone number spoofing).
I'd imagine that most users only send SMS messages from their phones, not third party services.
If the default was that users couldn't send from other services/devices, then that majority of users wouldn't be vulnerable to the spoofing, and those who opt-in to allow third-party sending would at least be aware somewhat of the implications.
Companies would have to create a central authority saying what source numbers are allowed to be used in what way. Everyone would have to check this database before sending the message from their direct customer. Everyone would have to keep it up to date. Procedures for handing over control and allowing third-party modifications would have to be created.
And when I say everyone, I mean every single provider in the world, not just ones in your country - there's nothing preventing people from Germany from sending "from number" +1.....
And there's still an issue of how to authorise the third parties. If some bank says multiple sources can use its number for sending messages, how do you identify them?
Still - it would take only a single provider ignoring this to break the whole scheme. It's a bit similar to spam really.
It would be much more realistic to implement a signing scheme. There are only a few mobile service providers, each of which would need a master certificate, which could be distributed.
You could put a lot of effort into adding stuff on top to make it more secure, for example public key authentication and encryption. But maybe it's time for SMS to go away. It's very limited compared to other communication methods, and there's only so much you can bolt on afterwards. And there are plenty of alternatives...
Only on your side. If someone was peering with your ISP and they sent some spoofed packets, there's a big chance they'll be accepted. If they get filtered, that's probably based on the ranges published by the peering partner.
You can consider anycast to be something like spoofing - multiple hosts make you believe they have the same address. There's no way your ISP can verify they are.
This is just silly. Anyone who has industry experience knows that it's trivially possible to spoof SMS phone numbers. Just like with email, it's possible to make the system more secure but given the margins associated with SMS, not likely.
For a clear example, imagine that I'm roaming in Zimbabwe with my UK cellphone. I send an SMS through the Zimbabwe carrier. It (eventually) arrives to the UK recipient network, ready to be delivered. That network could do some form of verification, but as they only get the final billing tally a few days or weeks later from the Zimbabwe ISP, they don't have enough information to do so.
It would not make any sense for the carriers to do SMS verification. And given that emails are far easier to get people to click on links to phishing and malware sites, spoofing SMSs has limited value.
Also, did you know that I could phone you and claim to be someone else?
The SMS service that I use to send messages has an option to send an SMS 'from' any number I choose and it works nicely.
I can send messages 'from' anyone I want - and we actually use this feature to facilitate a user to easily get replies to her messages sent directly to her phone.
I actually just use their API and do my best to ensure that you can't spoof someone's number (you verify your phone number with me before I can send an SMS as you).
Although I can understand why you may be concerned over the potential misuse of the below site, this is a third-party service which is independent of Orange and we would have no control over its existence.
Sorry but this is a null issue, I have Text message APIs that allow me to specify the sender ID. I understand your app is sexy in that it works off the phone but anyone with a few pounds can do this.
Text message spoofing is easy, CLI spoofing is the "cool" thing todo, and if you can spoof the Passert ID then you are gold
There is lots of people saying that filtering SMS would be impractical for carriers. Could you explain why that is? Wouldn't it be relatively trivial to check if the number in the SMS header matches the number of the SIM card sending the message?
To be clear, I am well-aware this is not a new issue. However, in the context of the Leveson enquiry into phone "hacking" and O2's recent blunder, I think it is a great time to revisit this issue.
This is wrong. First of all I think it's a bad idea to jump on the (valid!) privacy complaint against O2 in the UK with this unrelated thing. Second, as many pointed out already: This is not a problem of any carrier.
So your peers are surprised if you send a text message from their mum's number? Sure, understandable and maybe that needs to be fixed. But your carrier is not responsible for that in my world, just as yahoo/google etc. cannot protect you from most spoofs in the mail world.
And - gasp! - you can do similar things with a call (ever noticed that Skype offers to call 'from your number'?).
If the article wouldn't hijack a real issue _and_ wouldn't blame the wrong target, then I think there's a valid point somewhere in there: We, the technical crowd, should find a way to educate people around us about inherent trust issues. But that should be a constructive project, not mud slinging.