Hacker News new | past | comments | ask | show | jobs | submit login

Note: The following might be considered off-topic. On the otherhand, there might be something nefarious in the SMS network.

I found something strange that affects SMS in Canada. You can send the lower case text "secure communication", but it will never be recieved by the recipient. I am not sure if this behavior is reproducible outside of Canada. It might be a software defect, or perhaps there is something capturing the text and trying to interpret it as a command. The issue is more difficult to reproduce if both the sender and recipient devices are iphone's due to the default behavior of sending via iText.

I originally posted about this late last year [1]. I intend to investigate this issue more deeply, but my time has been consumed by another more pressing matter. The original HN post links to my blog post [2]. Originally I jumped to the conclusion that it was a case of censorship, but I backtracked on that because the issue is case sensitive. I would love confirmation if this is reproducible in other countries.

[1] https://news.ycombinator.com/item?id=21593276

[2] https://bloggerbust.ca/post/text-messages-are-being-censored...




It's a bit of a leap to assume that behavior like that is evidence of nefarious activity; ask yourself, if you were implementing some sort of secret signalling layer, would you design one that uses simple English words, and whose failure state reveals its presence?

Consider the other cases - it could be something like an anti-spam system; back when MSN Messenger was a thing, it would abruptly close any conversations in which certain virus-related keywords were said (mostly including ".exe", which is how I discovered it), presumably in an attempt to stop them spreading.

Or it could be a bug - there have been plenty of these, from simple strings causing mass IRC disconnections, to eerie conspiracy theories (see "bush hid the facts"[0], a conspiracy caused by a bug in Notepad).

Or it could just be a bit of debug code accidentally being triggered. This past week, I had to explain to some users why a website was talking about "DEAD BEEF". The reason was innocent (glitch in a web server config), but to the end user it was incomprehensible.

All that said, if you want to investigate further, it's simple to disable iMessage on iOS devices. If you go to Settings->Messages, there's a toggle for it.

[0]: https://en.wikipedia.org/wiki/Bush_hid_the_facts


> back when MSN Messenger was a thing, it would abruptly close any conversations in which certain virus-related keywords were said

On MSN Messenger, one way around swear words in your username/status was to use the ASCII equivalent for a letter, which would get skip the filter but render as the letter.

So I looked a little down in my chart and hoped that 0x7 for BELL would do something, but it didn’t.

But 0x0 for NULL would cause all members of your contact list to immediately sign out and back in ad Infinitum.


I am not assuming that it is nafarious, I appologize if I was not clear enough on that point. There are many possible ways it could be the result of a defect and you provided some interesting examples. In either case, it is a curiosity worth investigating.

Thanks for pointing out an easy way to disable imessage on iphone. Apparently after doing that iphone defaults to MMS. It still might be best to just turn off data and wifi.


> I found something strange that affects SMS in Canada. You can send the lower case text "secure communication", but it will never be recieved by the recipient.

This reminds me of how, until just a few years ago (as late as 2016), people were wondering why you couldn't tweet the phrase "Get better".

It turned out that you can't tweet any phrase that begins with "Get" because... you guessed it, posting tweets from the web interface still shared backend code with the SMS-based system[0]. So it would interpret "Get foo" as an API request to fetch tweets, not a tweet itself.

[0] Twitter was originally designed to work on dumbphones! You could text your tweet to 40404 and it would post for you, or you could fetch tweets by saying "GET chimeracoder" and it would fetch the latest tweets from user @chimeracoder.


Your [0] is funny to me because that was how I used and communicated with friend groups back in the early 2000s. Years later when Twitter blew up for real it was strange that facet was forgotten and the culture moved on. That's also the reason for the 140 char length vs the 160 or whatever the SMS limit is. The other characters were reserved for their username.


You could also go Google searches via SMS.


Tried it, works.

Also seems to not deliver SMSs that contain other combinations with 'secure communication' within it.

E.g.

'Hahahaha juice secure communication james'

or

'Not secure communication'


Yes, if the words "secure communication" in all lower case appear anywhere in the message, then the message won't be delivered. There can even be text appended to the beginning and end of the words [0]. i.e. foosecure communicationbar will also not be received. However; there must be exactly one blank space between the words.

Having said that, this is not working for everyone. I am trying to gather data on this to figure out where the issue might stem from. Would you be comfortable disclosing the make/model and carrier service of the sender and receiver. If you would prefer, you may contact me directly with this information and I won't include your identity in the record. My email is linked in the header of the blog post. I also have a public key [2] if you feel so inclined to send me a secure communication :-P

[0] https://bloggerbust.ca/post/text-messages-are-being-censored...

[1] https://bloggerbust.ca/about/#my-public-key


Message is not delivered between Koodo -> Koodo, secure commmunication (using 3 m) won't be delivered as well.


On a related note, if you start an SMS with "!", then the leading exclamation point will be stripped, and a delivery confirmation SMS will automatically be sent (not sure if it's from the mobile network or the receiving phone). This makes it possible to send zero-character SMSes.


Huh, just tried it and the ! got through. Could be network- or encoding-specific?


That is interesting. I will try that out later today.


Ha! I respond to texts with a single "?" a lot of times, so it's funny to know that they're getting a blank text


Just tried this in Ontario, networks were Bell (iPhone 7) + Koodo (Pixel 3) and it didn't deliver.


Thank you.


I just tried that in Quebec from Virgin Mobile (Bell) to Vidéotron using a Samsung S10 and a Samsung A8, it's working fine for me.

I can't verify it is send over SMS or MMS though. In theory there's no reason for my cellphone to send it over MMS.

The exact word used: secure communication


Turn off your data and disconnect from wifi, then try again. I believe that will force it to send via SMS. You might need to go through your client's app settings.

The Google Android client is nice because it displays what protocol it is sending over. It is important to confirm that it is sent over SMS. Also, it is important that the words "secure communication" are sent in all lower case which I see that you did.

Thank you for taking the time to test this. If you are sure it is being sent over SMS then I will add your entry as an example where it can be both sent and received


I just tried without Wifi and mobile data (good idea!), it was send and received correctly.

I did it from my S10 to someone else A8.


Just tested via twilio to canadian cell phone and had no issues receiving it.


What client region was the twilio data center? What was the exact text sent? Are you comfortable to disclose the make / model of the receiving cell phone as well as its carrier service?


I just tested with twilio as well. I was able to send this string:

"secure communication"

from within the twilio API, via pure SMS (no imessage, etc.) to an iphone SE with a US Mobile (verizon MVNO) sim card.

Was sent from a US number to a US number.

No issues.


I added your entry, thank you.


I wonder, but will not test, what happens if you put some code in between secure and communication. Like “; OR 1=1”.


Just tried Public Mobile (Telus sub-brand) to Rogers phone. And vice versa.

Messages containing "secure communication" failed when sent by SMS.

Both are iPhones, but one phone had wifi and cellular data disabled to force the SMS failover.


I found that an international SMS containing the entire text for a Wells Fargo SMS 2-factor code from the US to the UK doesn't deliver. Found that interesting.

I could get it to deliver US to US, though.


A lot of shortcode systems fall apart outside of their home system.

These are common problems for those that try to go “data-only” and sign up for a virtual SMS service: they can’t receive 2FA SMSs.

I guess the positive is that it’s hard(er) for a bad actor to pretend to be bigger than they are.


I just tried. Successful delivery.

from: Freedom Mobile to: Freedom Mobile Location: Ontario

Mobile data: off Wifi: off

Side note: So cool to see so many Canadians on here! If requested I can send SMS to USA numbers.


> If requested I can send SMS to USA numbers.

Yes please! Also, if you have US contacts that would be willing to test US-->US and US-->Canada that information would also be valuable and appreciated.

Please include as much of this information as participants are willing to provide:

  - OS+version of mobile device
  - if WiFi / data was on or off
  - Carrier of sender / receiver
  - region
  - exact text sent


I will update my records tomorrow morning with anyones accounts so long as they are confident the text went over SMS. It seems that not everyone can reproduce this issue, so that might help narrow down where the issue likely is.

Super busy now for a while...


I appreciate the time taken by the community to test this issue on their own devices and submit detailed results. I have updated the article with yesterdays submissions [1]. Please feel free to email me or comment on my blog. All comments on the blog require me to manually commit them to my GitHub repo which might take up to a day depending on how busy I am.

[1] https://bloggerbust.ca/post/text-messages-are-being-censored...




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: