
Binary SMS – The old backdoor to your new thing - wolframio
https://www.contextis.com/blog/binary-sms-the-old-backdoor-to-your-new-thing
======
robert_tweed
Back around 2000, shortly after The Matrix came out and everyone was buying
"those" Nokia phones, I was tasked with writing a couple of applets for a
certain UK mobile phone operator.

One applet was to design operator logos. The other was to compose ringtones.
Both popular things at the time. I was given access to an SMS gateway, a PDF
of the Nokia message format and a deadline.

The exact UI was phone-dependent, but typically these updates would pop up a
confirm box saying "Accept new ringtone?" or something similar. I was
surprised to discover that this was triggered by sending an SMS, because there
was usually no indication that a message had been received. If you were lucky
you would be told where the file had come from, but often the phone just
assumed it was an update from the network. On some phones there wasn't even an
alert, it would just obey, silently.

The message just had to start with "//SCKL", followed by a code, followed by
some data. That's it. On first reading I assumed the "header" part would
require direct access to the SMS gateway, like the SMTP HELO or similar.

Nope. First thing I tried once I had some PoC data was to send a message from
my phone directly to a colleague. It worked.

Over the course of that project I sent so many of those text messages I still
can't get the code //SCKL1581 out of my head. JFTR, sending someone a really
awful ringtone (a single diminished fifth or something) is way more annoying
than sending them "0" as an operator logo, especially if their phone only has
one ringtone.

[https://www.activexperts.com/sms-
component/sms/sckl/](https://www.activexperts.com/sms-component/sms/sckl/)

~~~
kuschku
Do you know if it’s possible to change the displayed operator name with this,
and if yes, how?

Every since a few years ago my SIM believes its operator to be a random
sequence of characters that’s definitely not the operator, and I’d love to fix
that.

~~~
robert_tweed
Depends on the phone. I don’t think any modern phones support this, but you
could try.

The prefix for the logo is //SCKL1581 and IIRC all you need is an unencoded
bitmap in hex. I.e., “0” is 4 black pixels and “f” is 4 white (or vice versa).
The data format for ringtones is a lot more complicated.

In theory you can just hex dump a monochrome bmp file of the correct size,
although the byte order may be wrong and you’ll need to strip the headers.

However you also need to know the codes for the network/country. If the first
link doesn’t cover it I found another one here:

[https://www.csoft.co.uk/archive/sckl#an-operator-
logo](https://www.csoft.co.uk/archive/sckl#an-operator-logo)

IIRC images are zero-padded automatically so you can send in a single message
as long as it’s not full size. The other problem is that modern phones handle
multipart SMS automatically, so it might mangle the preamble. You might have
more luck sending from an ancient phone or going via an SMS gateway API
directly.

~~~
kuschku
I meant the actual operator name. It’s displayed as text either Netz (German
for "network", which is... not the actual name) or as something like ⅛£⅜±⅛°%).

~~~
jfim
It's been a while since I've done any telecom work, but from what I recall,
the SIM card just sends a message to your phone with the operator name. The
origin of that string could either be baked in the default app running on the
SIM card or come from a message received from the network (eg. for a multi
carrier SIM card).

------
donttrack
I wonder why we haven't seen more exploits targeting SMS PDU mode. Is it the
barrier for script kiddies just too high? You would probably need a network
tester of some kind to properly try to find exploits.

I used to work for a big mobile phone manufacturer and once in a while we
would get "secret" fixes to merge into the source. The commit message would be
something unrelated and the builds would be pushed silently without much
fanfare.

I was in charge for the merging, which is how I know this. Some of those fixes
were for SMS PDU mode or related to stuff happening when PDUs were received.
Not sure how phones handle these messages today, but I assume they follow
spec, which means there are certain SMS PDUs which will be reacted on silently
in the background (stuff in the PDU body is parsed and applications launched
if necessary).

I should try to get an old R&S tester from eBay maybe. Could be fun to try to
explore this area. Could be a nice security business niche to get into.

~~~
IronBacon
I think I've seen a presentation from CCC years ago where they demonstrated an
"SMS of death" (similar to the "ping of death") where they rebooted various
brands of phones. I don't have a link at hand, I recall they used a SMS modem
and they didn't reveal a lot of details (I'm not even sure if they rebooted or
bricked the receiving phones) for abuse concerns, but it should probably easy
to find.

edit: it was easier than I thought, first hit on Google:
[https://media.ccc.de/v/27c3-4060-en-
attacking_mobile_phones](https://media.ccc.de/v/27c3-4060-en-
attacking_mobile_phones)

------
HillaryBriss
_Law Enforcement can track a phone with 'silent' SMS messages designed not to
alert the user._

well, that's something i didn't know

~~~
War_tijn
As far as I know they can only see to which tower your phone is connected, so
it's not too accurate.

I'm not an expert in this field though.

~~~
chatmasta
If you repeatedly triangulate a phone at < 100m resolution for a few hours, it
should become trivial to identify its exact location. The more people in the
area, the less reliable the method is. But in rural or suburban areas, it's
going to be pretty good.

See the LocationSmart stories the past few days for more on this.

------
derefr
I’ve always wanted to play around with raw SMS PDUs. You could construct MMSes
“from scratch”, for example; or send “ephemeral alert” messages that (at least
by the standard) don’t get stored in SMS conversation history, just popping up
and then disappearing instead.

Does anyone know, then, why Twilio and its like don’t let you construct/send
raw binary PDUs? If it was a matter of cellular network security, well, that
was already out the window once you let people with rooted phones into the
network. Why not give virtual “phones” the same capability?

~~~
donttrack
Binary PDUs can be tricky to send between operators - especially when those
operators are in different countries. Often you will find that the PDU
messages simply disappear. Internally within an operator network there
shouldn’t be any problem usually.

That is probably why twilio doesn’t support it.

------
peterburkimsher
Are there tools available to monitor if I receive a silent SMS?

I think it's safe to assume that all popular brands of phone are compromised
and exploitable with these SMS PDUs. If I buy a Seeed Rephone open-source DIY
kit and use it as a GSM-to-WiFi modem, will that be any more secure? I guess
that reverse triangulation from cell towers is still possible to determine my
location.

~~~
mlaretallack
While not directly silent SMS, SnoopSnitch can check mobile network security
and monitor for dome of the message types -
[https://f-droid.org/app/de.srlabs.snoopsnitch](https://f-droid.org/app/de.srlabs.snoopsnitch)

~~~
crtasm
Interesting. Requires root and a Qualcomm chipset, compatible device list
here:
[https://opensource.srlabs.de/projects/snoopsnitch/wiki/Devic...](https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList)

------
app4soft
It just remind me dirty 'hack' from 2005-2010: if you set format for SMS as
"E-Mail" on _Siemens C65 /C72_ phone, then send SMS from this _Siemens phone_
to _SonyEricsson K210 /K750_ phone -- this SMS on _SonyEricsson phone_ shown
as _sent from anonymous_ ;-)

~~~
donttrack
That might be my fault. I worked on the tcpip and sms protocol stacks for the
55 and 65 series Siemens phones..

Sorry..

I know of at least one small Easter egg if anyone has a S65 lying around
somewhere. I don’t believe it was discovered by anyone before. Might also work
on the 55 devices - don’t quite remember as it was a long time ago.

~~~
app4soft
> I don’t believe it was discovered by anyone before.

It was so funny when I discover this Easter egg and then use it for trolling
own friends... Awesome time where I was like "phone hacker" :-D

Thanks Siemens developers that gave us time for thinking...

    
    
      ╔═══════════════════╗
      ║                   ║
      ║                   ║
      ║  Please, wait...  ║
      ║   ●  ●  ●  ◐  ○   ║
      ║                   ║
      ║                   ║
      ╚═══════════════════╝

------
locknload
SMS was always an effective procedure writing to certain parts of the phone
without checks

------
codedokode
> Setting the PID to 0x64 would be a silent SMS known as a 'type 0' SMS which
> all handsets receive and must acknowledge without indicating its receipt to
> the user. As previously mentioned, this has been used by law enforcement to
> actively 'ping' a handset on a network.

I don't like that. Why should a device that I have paid for contain this
backdoor? Manufacturers should not forget from whom they get the money.

It might be difficult to fix in hardware but if it is handled in software then
open source projects like Android could do it and do not reply to silent SMS
or display them to the user.

~~~
donttrack
Actually the reply to the ping originates from the network itself and not the
phone and it would work with any class of SMS - you just need to set the
“delivery receipt” bit in the SMS. Then the network will send a receipt to the
sender when the message has been delivered.

------
pavel_lishin
Unrelated to the article, but when I zoomed in to 150%+ in Chrome, this image
[1] turned into this image [2]:

[https://www.contextis.com/media/images/made/media/images/con...](https://www.contextis.com/media/images/made/media/images/content/RF_box.width-800_800_533_75.jpg)

[https://www.contextis.com/media/images/made/media/images/con...](https://www.contextis.com/media/images/made/media/images/content/RF_box.width-800_800_533_1.jpg)

------
jiveturkey
i used to use this (in my company) to provision OTP secrets. this was before
iphone. after provisioning, OTP requests could be offline. thus no worries
about sending an otp over sms.

of course the secret was itself encrypted via pre-provisioned Key Encrypting
Key.

or users could manually enter the wrapped otp secret on the off chance the sms
didn’t work. it worked for nokia and blackberry so that covered nearly 100%.

the article talks about abuse but in my case quite a useful “backdoor”.

------
secstu
Nice little write up. Rather than using the USRP I'd probably use a LimeSDR,
if you can get hold of one.

------
noir-york
Great article! Thanks for posting.

