Hacker News new | past | comments | ask | show | jobs | submit login
Binary SMS – The old backdoor to your new thing (contextis.com)
213 points by wolframio on May 17, 2018 | hide | past | web | favorite | 37 comments

Back around 2000, shortly after The Matrix came out and everyone was buying "those" Nokia phones, I was tasked with writing a couple of applets for a certain UK mobile phone operator.

One applet was to design operator logos. The other was to compose ringtones. Both popular things at the time. I was given access to an SMS gateway, a PDF of the Nokia message format and a deadline.

The exact UI was phone-dependent, but typically these updates would pop up a confirm box saying "Accept new ringtone?" or something similar. I was surprised to discover that this was triggered by sending an SMS, because there was usually no indication that a message had been received. If you were lucky you would be told where the file had come from, but often the phone just assumed it was an update from the network. On some phones there wasn't even an alert, it would just obey, silently.

The message just had to start with "//SCKL", followed by a code, followed by some data. That's it. On first reading I assumed the "header" part would require direct access to the SMS gateway, like the SMTP HELO or similar.

Nope. First thing I tried once I had some PoC data was to send a message from my phone directly to a colleague. It worked.

Over the course of that project I sent so many of those text messages I still can't get the code //SCKL1581 out of my head. JFTR, sending someone a really awful ringtone (a single diminished fifth or something) is way more annoying than sending them "0" as an operator logo, especially if their phone only has one ringtone.


Do you know if it’s possible to change the displayed operator name with this, and if yes, how?

Every since a few years ago my SIM believes its operator to be a random sequence of characters that’s definitely not the operator, and I’d love to fix that.

Depends on the phone. I don’t think any modern phones support this, but you could try.

The prefix for the logo is //SCKL1581 and IIRC all you need is an unencoded bitmap in hex. I.e., “0” is 4 black pixels and “f” is 4 white (or vice versa). The data format for ringtones is a lot more complicated.

In theory you can just hex dump a monochrome bmp file of the correct size, although the byte order may be wrong and you’ll need to strip the headers.

However you also need to know the codes for the network/country. If the first link doesn’t cover it I found another one here:


IIRC images are zero-padded automatically so you can send in a single message as long as it’s not full size. The other problem is that modern phones handle multipart SMS automatically, so it might mangle the preamble. You might have more luck sending from an ancient phone or going via an SMS gateway API directly.

I meant the actual operator name. It’s displayed as text either Netz (German for "network", which is... not the actual name) or as something like ⅛£⅜±⅛°%).

It's been a while since I've done any telecom work, but from what I recall, the SIM card just sends a message to your phone with the operator name. The origin of that string could either be baked in the default app running on the SIM card or come from a message received from the network (eg. for a multi carrier SIM card).

Often the operator name is a bitmap logo, but they probably have a text version now as well.

That looks like a unicode encoding error to me, might require a firmware update on your phone.

I have’t looked at any of this for years so I can’t give any up to date information unfortunately.

I wonder why we haven't seen more exploits targeting SMS PDU mode. Is it the barrier for script kiddies just too high? You would probably need a network tester of some kind to properly try to find exploits.

I used to work for a big mobile phone manufacturer and once in a while we would get "secret" fixes to merge into the source. The commit message would be something unrelated and the builds would be pushed silently without much fanfare.

I was in charge for the merging, which is how I know this. Some of those fixes were for SMS PDU mode or related to stuff happening when PDUs were received. Not sure how phones handle these messages today, but I assume they follow spec, which means there are certain SMS PDUs which will be reacted on silently in the background (stuff in the PDU body is parsed and applications launched if necessary).

I should try to get an old R&S tester from eBay maybe. Could be fun to try to explore this area. Could be a nice security business niche to get into.

I think I've seen a presentation from CCC years ago where they demonstrated an "SMS of death" (similar to the "ping of death") where they rebooted various brands of phones. I don't have a link at hand, I recall they used a SMS modem and they didn't reveal a lot of details (I'm not even sure if they rebooted or bricked the receiving phones) for abuse concerns, but it should probably easy to find.

edit: it was easier than I thought, first hit on Google: https://media.ccc.de/v/27c3-4060-en-attacking_mobile_phones

Law Enforcement can track a phone with 'silent' SMS messages designed not to alert the user.

well, that's something i didn't know

In practice you don't need SMS for this.

Back in the day they would use lower level routing commands (eg SRI lookup) to find the VLR and then cell towers codes of the phone. Most of the time after a few pings you can get 2 or more cells, enough for a decent approximate location. There are DBs that match codes to lat/long. This works even if the number your tracing isn't on your network, but you need to have access to "a" network to do it. Lots of guys like SMS aggregators and small MVNOs have access to this.

If you have access to the network where the user is you can use either dedicated location systems if they have them or use the VLR method above for a rough location. If you wanted to get very fancy you could log into a system closer to the towers and check the reports on cell tower power that your phone periodically sends to triangulate better. Or even match them off coverage maps.

Under both systems above your phone is never party to comms (unlike actual SMS) so its impossible to know someone is tracing you..

This was 2G / early 3G systems. Loc tracking was more difficult with WCDMA, esp triangulation. Maybe thats changed. Or it hasn't because governments find it easier to check leaky app level APIs :P

It isn’t like they track the phone using the messages, instead you can more accurately track the phone if it is sending and receiving things; the network needs to know more to make the connection work.

So sending the phone things that don’t do anything puts it in a state where you can track it more accurately, and then you need to cooperate with the provider to actually track it.

They can track you the same way if they would just call you. That would be kind of conspicuous so that’s why they use silent messages instead. But it isn’t like you can send a message that tells the phone to reports its location.

Generally you wouldn't need any type of messaging to the handset for this. As the phone periodically reports the signal strengths of surrounding cells for the purposes of handover just taking a glimpse of this is enough to triangulate well.

As long as your phone is on your broadcasting. Indeed I think there are cases of tracing where the phone is switched off too, though not sure if they used historical cell data to guess at its location or there is some secret sauce.

But - as you mention, you require to have connections into an operator to do all this.

If you put your phone close to your amp or sound card and if they are not perfectly shielded then you can hear when the phone is transmitting the signal. You can hear modem-like sound before receiving a call or a message, and in idle mode the phone usually transmits something every 15-30 minutes.

>As the phone periodically reports the signal strengths of surrounding cells for the purposes of handover just taking a glimpse of this is enough to triangulate well.

Not when the phone is idle and is not leaving a location area though.

(At least that's my memory from my college class)

In GSM there is some periodic communication even in the idle non-moving case, but the period is on the order of hours.

For the purposes of location tracking I think thats acceptable :)

As far as I know they can only see to which tower your phone is connected, so it's not too accurate.

I'm not an expert in this field though.

If you repeatedly triangulate a phone at < 100m resolution for a few hours, it should become trivial to identify its exact location. The more people in the area, the less reliable the method is. But in rural or suburban areas, it's going to be pretty good.

See the LocationSmart stories the past few days for more on this.

When I was playing around with that about ten years ago you could triangulate the position using multiple towers to narrow it down to a radius of a few dozen meters. It depends of course on the density of towers around the phone.

I’ve always wanted to play around with raw SMS PDUs. You could construct MMSes “from scratch”, for example; or send “ephemeral alert” messages that (at least by the standard) don’t get stored in SMS conversation history, just popping up and then disappearing instead.

Does anyone know, then, why Twilio and its like don’t let you construct/send raw binary PDUs? If it was a matter of cellular network security, well, that was already out the window once you let people with rooted phones into the network. Why not give virtual “phones” the same capability?

Binary PDUs can be tricky to send between operators - especially when those operators are in different countries. Often you will find that the PDU messages simply disappear. Internally within an operator network there shouldn’t be any problem usually.

That is probably why twilio doesn’t support it.

Are there tools available to monitor if I receive a silent SMS?

I think it's safe to assume that all popular brands of phone are compromised and exploitable with these SMS PDUs. If I buy a Seeed Rephone open-source DIY kit and use it as a GSM-to-WiFi modem, will that be any more secure? I guess that reverse triangulation from cell towers is still possible to determine my location.

https://www.bladox.com/products.php?lang=cz, see "Turbo SIM" (the others' pictures may confuse the idea).

It's an ATMega128 which sits between the phone and SIM, intercepting all comms. It runs C code and provides an API which lets you read, manipulate or send any kind of SMS. Specifically, you can edit or prevent messages or any kind of SMS from reaching the SIM and thus your mobile operator's "secret" SIM apps.

I used it at a previous job and can vouch for it.

Doesn't look like they have versions for smaller SIMs, however.

While not directly silent SMS, SnoopSnitch can check mobile network security and monitor for dome of the message types - https://f-droid.org/app/de.srlabs.snoopsnitch

Interesting. Requires root and a Qualcomm chipset, compatible device list here: https://opensource.srlabs.de/projects/snoopsnitch/wiki/Devic...

It just remind me dirty 'hack' from 2005-2010: if you set format for SMS as "E-Mail" on Siemens C65/C72 phone, then send SMS from this Siemens phone to SonyEricsson K210/K750 phone -- this SMS on SonyEricsson phone shown as sent from anonymous ;-)

That might be my fault. I worked on the tcpip and sms protocol stacks for the 55 and 65 series Siemens phones..


I know of at least one small Easter egg if anyone has a S65 lying around somewhere. I don’t believe it was discovered by anyone before. Might also work on the 55 devices - don’t quite remember as it was a long time ago.

> I don’t believe it was discovered by anyone before.

It was so funny when I discover this Easter egg and then use it for trolling own friends... Awesome time where I was like "phone hacker" :-D

Thanks Siemens developers that gave us time for thinking...

  ║                   ║
  ║                   ║
  ║  Please, wait...  ║
  ║   ●  ●  ●  ◐  ○   ║
  ║                   ║
  ║                   ║

Isn’t it a bug on the Sony Ericsson phone? I mean the non-standard message went via standard channels to reach the destination but the destination couldn’t grok that?

SMS was always an effective procedure writing to certain parts of the phone without checks

> Setting the PID to 0x64 would be a silent SMS known as a 'type 0' SMS which all handsets receive and must acknowledge without indicating its receipt to the user. As previously mentioned, this has been used by law enforcement to actively 'ping' a handset on a network.

I don't like that. Why should a device that I have paid for contain this backdoor? Manufacturers should not forget from whom they get the money.

It might be difficult to fix in hardware but if it is handled in software then open source projects like Android could do it and do not reply to silent SMS or display them to the user.

Actually the reply to the ping originates from the network itself and not the phone and it would work with any class of SMS - you just need to set the “delivery receipt” bit in the SMS. Then the network will send a receipt to the sender when the message has been delivered.

Because SMS originally is not for user use, but for GSM network test messages.

Unrelated to the article, but when I zoomed in to 150%+ in Chrome, this image [1] turned into this image [2]:



i used to use this (in my company) to provision OTP secrets. this was before iphone. after provisioning, OTP requests could be offline. thus no worries about sending an otp over sms.

of course the secret was itself encrypted via pre-provisioned Key Encrypting Key.

or users could manually enter the wrapped otp secret on the off chance the sms didn’t work. it worked for nokia and blackberry so that covered nearly 100%.

the article talks about abuse but in my case quite a useful “backdoor”.

Nice little write up. Rather than using the USRP I'd probably use a LimeSDR, if you can get hold of one.

Great article! Thanks for posting.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact