One applet was to design operator logos. The other was to compose ringtones. Both popular things at the time. I was given access to an SMS gateway, a PDF of the Nokia message format and a deadline.
The exact UI was phone-dependent, but typically these updates would pop up a confirm box saying "Accept new ringtone?" or something similar. I was surprised to discover that this was triggered by sending an SMS, because there was usually no indication that a message had been received. If you were lucky you would be told where the file had come from, but often the phone just assumed it was an update from the network. On some phones there wasn't even an alert, it would just obey, silently.
The message just had to start with "//SCKL", followed by a code, followed by some data. That's it. On first reading I assumed the "header" part would require direct access to the SMS gateway, like the SMTP HELO or similar.
Nope. First thing I tried once I had some PoC data was to send a message from my phone directly to a colleague. It worked.
Over the course of that project I sent so many of those text messages I still can't get the code //SCKL1581 out of my head. JFTR, sending someone a really awful ringtone (a single diminished fifth or something) is way more annoying than sending them "0" as an operator logo, especially if their phone only has one ringtone.
Every since a few years ago my SIM believes its operator to be a random sequence of characters that’s definitely not the operator, and I’d love to fix that.
The prefix for the logo is //SCKL1581 and IIRC all you need is an unencoded bitmap in hex. I.e., “0” is 4 black pixels and “f” is 4 white (or vice versa). The data format for ringtones is a lot more complicated.
In theory you can just hex dump a monochrome bmp file of the correct size, although the byte order may be wrong and you’ll need to strip the headers.
However you also need to know the codes for the network/country. If the first link doesn’t cover it I found another one here:
IIRC images are zero-padded automatically so you can send in a single message as long as it’s not full size. The other problem is that modern phones handle multipart SMS automatically, so it might mangle the preamble. You might have more luck sending from an ancient phone or going via an SMS gateway API directly.
That looks like a unicode encoding error to me, might require a firmware update on your phone.
I have’t looked at any of this for years so I can’t give any up to date information unfortunately.
I used to work for a big mobile phone manufacturer and once in a while we would get "secret" fixes to merge into the source. The commit message would be something unrelated and the builds would be pushed silently without much fanfare.
I was in charge for the merging, which is how I know this. Some of those fixes were for SMS PDU mode or related to stuff happening when PDUs were received. Not sure how phones handle these messages today, but I assume they follow spec, which means there are certain SMS PDUs which will be reacted on silently in the background (stuff in the PDU body is parsed and applications launched if necessary).
I should try to get an old R&S tester from eBay maybe. Could be fun to try to explore this area. Could be a nice security business niche to get into.
edit: it was easier than I thought, first hit on Google: https://media.ccc.de/v/27c3-4060-en-attacking_mobile_phones
well, that's something i didn't know
Back in the day they would use lower level routing commands (eg SRI lookup) to find the VLR and then cell towers codes of the phone. Most of the time after a few pings you can get 2 or more cells, enough for a decent approximate location. There are DBs that match codes to lat/long. This works even if the number your tracing isn't on your network, but you need to have access to "a" network to do it. Lots of guys like SMS aggregators and small MVNOs have access to this.
If you have access to the network where the user is you can use either dedicated location systems if they have them or use the VLR method above for a rough location. If you wanted to get very fancy you could log into a system closer to the towers and check the reports on cell tower power that your phone periodically sends to triangulate better. Or even match them off coverage maps.
Under both systems above your phone is never party to comms (unlike actual SMS) so its impossible to know someone is tracing you..
This was 2G / early 3G systems. Loc tracking was more difficult with WCDMA, esp triangulation. Maybe thats changed. Or it hasn't because governments find it easier to check leaky app level APIs :P
So sending the phone things that don’t do anything puts it in a state where you can track it more accurately, and then you need to cooperate with the provider to actually track it.
They can track you the same way if they would just call you. That would be kind of conspicuous so that’s why they use silent messages instead. But it isn’t like you can send a message that tells the phone to reports its location.
As long as your phone is on your broadcasting. Indeed I think there are cases of tracing where the phone is switched off too, though not sure if they used historical cell data to guess at its location or there is some secret sauce.
But - as you mention, you require to have connections into an operator to do all this.
Not when the phone is idle and is not leaving a location area though.
(At least that's my memory from my college class)
I'm not an expert in this field though.
See the LocationSmart stories the past few days for more on this.
Does anyone know, then, why Twilio and its like don’t let you construct/send raw binary PDUs? If it was a matter of cellular network security, well, that was already out the window once you let people with rooted phones into the network. Why not give virtual “phones” the same capability?
That is probably why twilio doesn’t support it.
I think it's safe to assume that all popular brands of phone are compromised and exploitable with these SMS PDUs. If I buy a Seeed Rephone open-source DIY kit and use it as a GSM-to-WiFi modem, will that be any more secure? I guess that reverse triangulation from cell towers is still possible to determine my location.
It's an ATMega128 which sits between the phone and SIM, intercepting all comms. It runs C code and provides an API which lets you read, manipulate or send any kind of SMS. Specifically, you can edit or prevent messages or any kind of SMS from reaching the SIM and thus your mobile operator's "secret" SIM apps.
I used it at a previous job and can vouch for it.
Doesn't look like they have versions for smaller SIMs, however.
I know of at least one small Easter egg if anyone has a S65 lying around somewhere. I don’t believe it was discovered by anyone before. Might also work on the 55 devices - don’t quite remember as it was a long time ago.
It was so funny when I discover this Easter egg and then use it for trolling own friends... Awesome time where I was like "phone hacker" :-D
Thanks Siemens developers that gave us time for thinking...
║ Please, wait... ║
║ ● ● ● ◐ ○ ║
I don't like that. Why should a device that I have paid for contain this backdoor? Manufacturers should not forget from whom they get the money.
It might be difficult to fix in hardware but if it is handled in software then open source projects like Android could do it and do not reply to silent SMS or display them to the user.
of course the secret was itself encrypted via pre-provisioned Key Encrypting Key.
or users could manually enter the wrapped otp secret on the off chance the sms didn’t work. it worked for nokia and blackberry so that covered nearly 100%.
the article talks about abuse but in my case quite a useful “backdoor”.