
If you think O2 headers are bad, check this out. - richardburton
http://www.kiteandcode.com/post/16459436941/if-you-think-o2-headers-are-bad-check-this-out
======
darklajid
So the complaint is that no one tells the world about the insecurity of text
messages. And the blame is laid on a network provider.

This is wrong. First of all I think it's a bad idea to jump on the (valid!)
privacy complaint against O2 in the UK with this unrelated thing. Second, as
many pointed out already: This is not a problem of any carrier.

So your peers are surprised if you send a text message from their mum's
number? Sure, understandable and maybe that needs to be fixed. But your
carrier is not responsible for that in my world, just as yahoo/google etc.
cannot protect you from most spoofs in the mail world.

And - gasp! - you can do similar things with a call (ever noticed that Skype
offers to call 'from your number'?).

If the article wouldn't hijack a real issue _and_ wouldn't blame the wrong
target, then I think there's a valid point somewhere in there: We, the
technical crowd, should find a way to educate people around us about inherent
trust issues. But that should be a constructive project, not mud slinging.

~~~
jka
Google and others can and do try to protect users from spoofing - in my
opinion, every communication service provider should try to prevent their
users from being misled by impersonators.

I'm not sure educating all users about the spoofability or otherwise of all
existing communication systems is the way forward as a tech community -
there's more we can do in terms of bolstering existing security and trying to
validate/flag existing messages.

I've never enabled the ability to 'call from my number' for any services, so I
would expect that others would be unable to spoof mine.

~~~
darklajid
Google tries - but cannot. Ultimately it can only do the same dance that it
does with spam. Learn, improve, tweak - and never succeed.

I think a general project to explain encryption/signing would be awesome. I'd
_love_ to send mails to my bank, to the government etc. and have them be
legally binding. I'm sure it could help against quite some amount of spam as
well, if you understand that an address isn't to be trusted by default.

I .. don't get that last part. How do you think is the process of being able
to authorize a 'from' number? Technically gazillion of services could probably
do it. It's inherently simple if you are well-connected. Skype certainly
doesn't need to ask you first and have a kind of exchange with you and your
carrier that 'unlocks' their ability to use your number in an outgoing call.
It's a policy that protects them from abuse (i.e. they care, because of legal
implications and because of possible business impact if they'd abuse it). [1]

They don't need to get your ok though, if they don't want to.

1: This is based on a limited experience in my past, where I had (legal)
access to an asterisk server with a nice trunk connection to a mobile carrier
in DE. I certainly don't have extensive telecom knowledge, but got a glimpse
at least.

~~~
richardburton
Google tries - that is a good thing!

The networks do not. Check this tweet from the mobile network 3:
<https://twitter.com/threeuksupport/status/162101700595957760>

------
mootothemax
This is not the fault of any one network; it's a fact of life when it comes to
SMS. You can have all kinds of fun, whether it's messages that appear to be
from you, your friend, or 11 characters of your choice, an SMS that will only
display without being stored, or even a voicemail notification.

There's a nice guide to the format here:

<http://www.dreamfabric.com/sms/>

~~~
richardburton
Agreed. But they do not care at all. That is my complaint.

~~~
bad_user
To fix it, you'd have to reinvent the protocol.

That's like reinventing email. Well good luck with that ;)

~~~
richardburton
My lack of knowledge on this subject is evident here I am afraid. Is there not
a way the networks could, like Google, try and detect spam or spoof messages?

~~~
bad_user
Yes it can with reasonable accuracy, but it's a whack-a-mole game, because
there is no standard, many attempts have been gamed successfully by spammers,
not all email servers are configured to use the latest "practices" (since this
gets expensive) and not all email clients are configured to use the latest
practices because that would trigger many false positives.

I just did an experiment.

Using my local Postfix email server with the default settings, I just sent an
email from bill.gates@microsoft.com to my GMail account. It arrived in my
Inbox just fine. And I'm sure that if I sent this to dozens of people, then
GMail would have flagged it, but it chose not to.

------
alexchamberlain
As the tweet pointed out, this has been possible for years. You can also send
emails from whoever you want.

~~~
richardburton
I know. But that does not mean the networks should not try to stop it.

~~~
viraptor
Stop it how exactly? It's the same thing as with phone calls. Unless we
migrate to some technology which involves signed, verifiable sources, there's
nothing they can do about things like that. Once your telco approves that you
can send out any number as source, you can send out any number as your source
- they're the highest authority atm. Everything that happens between telcos on
the wire is trusted since telcos trust each other.

There are valid use cases for that too of course - setting your presented id
as the number of your company's reception, having a single number for incoming
connections (or a group) but using multiple lines for calling out, etc.

You can probably ensure the account sending the traffic is closed since it's
likely to break multiple local laws, but on the receiving side, there's
nothing left to do.

~~~
jka
I would have expected that the networks cross-reference the device an SMS was
sent from (IMEI?) with the sender phone number claimed in the message. I don't
think that's unreasonable, but Richard seems to have found that this basic
check isn't being performed here.

Are you so keen to see a system remain with this insecurity just because you
have a fundamental belief that perfect security isn't possible? Most if not
all security is a case of shades of gray, and there's clearly a lot that could
be improved here by the network.

~~~
viraptor
Why do you assume that SMS messages come only from phones having an IMEI? Not
only IMEI can be changed at will and is not connected to the phone number, you
can send messages from a service which has legitimate reason to send the
message as you. That's possible by design.

It's not that I believe that perfect security isn't possible. I believe that
this issue cannot be fixed in any reasonable way without redoing most of how
the current system works. I did some telephony-related work and I don't see
any way this kind of limitation can be put on top of our current networks
(both regarding sms and phone number spoofing).

~~~
jka
I'd imagine that most users only send SMS messages from their phones, not
third party services.

If the default was that users _couldn't_ send from other services/devices,
then that majority of users wouldn't be vulnerable to the spoofing, and those
who opt-in to allow third-party sending would at least be aware somewhat of
the implications.

Unless I misunderstand the underlying technology?

~~~
viraptor
Companies would have to create a central authority saying what source numbers
are allowed to be used in what way. Everyone would have to check this database
before sending the message from their direct customer. Everyone would have to
keep it up to date. Procedures for handing over control and allowing third-
party modifications would have to be created. And when I say everyone, I mean
every single provider in the world, not just ones in your country - there's
nothing preventing people from Germany from sending "from number" +1.....

And there's still an issue of how to authorise the third parties. If some bank
says multiple sources can use its number for sending messages, how do you
identify them?

Still - it would take only a single provider ignoring this to break the whole
scheme. It's a bit similar to spam really.

------
casca
This is just silly. Anyone who has industry experience knows that it's
trivially possible to spoof SMS phone numbers. Just like with email, it's
possible to make the system more secure but given the margins associated with
SMS, not likely.

For a clear example, imagine that I'm roaming in Zimbabwe with my UK
cellphone. I send an SMS through the Zimbabwe carrier. It (eventually) arrives
to the UK recipient network, ready to be delivered. That network could do some
form of verification, but as they only get the final billing tally a few days
or weeks later from the Zimbabwe ISP, they don't have enough information to do
so.

It would not make any sense for the carriers to do SMS verification. And given
that emails are far easier to get people to click on links to phishing and
malware sites, spoofing SMSs has limited value.

Also, did you know that I could phone you and claim to be someone else?

~~~
richardburton
_Anyone who has industry experience knows that it's trivially possible to
spoof SMS phone numbers._

Exactly. My point is that the general public do not know. That is bad.

What do you think?

~~~
corin_
It simply isn't possible to prevent this, and your blog post just skates over
that and blames the networks.

All they could do is raise awareness, which realistically won't do a whole
lot.

------
adhipg
The SMS service that I use to send messages has an option to send an SMS
'from' any number I choose and it works nicely.

I can send messages 'from' anyone I want - and we actually use this feature to
facilitate a user to easily get replies to her messages sent directly to her
phone.

~~~
richardburton
What service are you running?

~~~
adhipg
<http://www.fastsms.co.uk/>

~~~
richardburton
You should police your service better. Not impressed.

~~~
adhipg
I don't run that service.

I actually just use their API and do my best to ensure that you can't spoof
someone's number (you verify your phone number with me before I can send an
SMS as you).

~~~
richardburton
I asked for your service that you were running that needed to do what you do.
Thanks for the down-votes.

~~~
adhipg
hehe, I just wanted to clarify my stand there.

About downvotes - well, I don't even have the ability to downvote (atleast all
I can see is just an upvote triangle) - so, not me!

------
richardburton
Just so you know, this is what Orange had to say about the site
<http://www.hoaxmail.co.uk>:

Hi Richard

Although I can understand why you may be concerned over the potential misuse
of the below site, this is a third-party service which is independent of
Orange and we would have no control over its existence.

If you have received an offensive or questionable message from this service,
you can report this to them for investigation via
<http://www.hoaxmail.co.uk/help/faq.php?ref=H13> .

I hope this helps!

Darren Orange Helpers

------
brador
With this technique, replies go to the correct sender number sent not the
spoofer, right?

~~~
richardburton
Correct. But that can often make the pranks even better. Especially if you
send simultaneously from two people to one-another.

------
ukgent2
Sorry but this is a null issue, I have Text message APIs that allow me to
specify the sender ID. I understand your app is sexy in that it works off the
phone but anyone with a few pounds can do this.

Text message spoofing is easy, CLI spoofing is the "cool" thing todo, and if
you can spoof the Passert ID then you are gold

------
zokier
There is lots of people saying that filtering SMS would be impractical for
carriers. Could you explain why that is? Wouldn't it be relatively trivial to
check if the number in the SMS header matches the number of the SIM card
sending the message?

------
richardburton
To be clear, I am well-aware this is not a new issue. However, in the context
of the Leveson enquiry into phone "hacking" and O2's recent blunder, I think
it is a great time to revisit this issue.

