Little Things You Hate

ForkinGreat

ForkinGreat

Knows his Brassica oleracea
Flow-Rider said:
I'm sure someone would have fell for it, somewhere.


I was going to tell them to meet me at the police station and I'll give them double, but can't reply to the text.
Click to expand...
also, how many Mums are going to Text their kids? if they have a mobile, they are going to call, surely.

Genuinely curious.... how is it not possible to respond to a text?
 
Flow-Rider

Flow-Rider

Burner
ForkinGreat said:
also, how many Mums are going to Text their kids? if they have a mobile, they are going to call, surely.

Genuinely curious.... how is it not possible to respond to a text?
Click to expand...
I don't know how they do it, but the phone will not respond, it's been sent by a computer. You've got to get the phone carrier you use to block the IP.
 
ForkinGreat

ForkinGreat

Knows his Brassica oleracea
LTIH: Fox Racing Australia "customer service" and contact forms on websites in general.
Ask a question on their website contact form, takes 6 days to get a reply, don't even get an answer to a simple question about a fox mtb product.

Are they all MotoBros there at Fox Australia?
 
link1896

link1896

Mr Greenfield
ForkinGreat said:
also, how many Mums are going to Text their kids? if they have a mobile, they are going to call, surely.

Genuinely curious.... how is it not possible to respond to a text?
Click to expand...
The sms system has a very low security architecture.

You can use a paid bulk sms service, which can message any mobile phone device with a carrier assigned number on the planet give or take a few oddities. I have used SMSglobal for automation of the house, I had my automation system sending me a message via smsglobal about he garage door status so I don’t need to worry if it was down, when my son was an infant he just didn’t sleep, I found myself going to work with 20 minutes sleep for the night.

You can set any senders details using these SMS services when using one way communication. Have you ever had an sms arrive that didn’t have a number but just a name?

Quite literally you can set the sender field to anything, there is no banned or black listed word list I believe.

Here is a screen shot from SMSglobal’s knowledge base how to video, MXT is their web based portal for sms communication. https://knowledgebase.smsglobal.com/en/articles/5178453-how-to-do-a-simple-sms-send-in-mxt

The sender field is set to in this example “SMSglobal” but there is nothing stopping anyone using “mum” “dad” or “ato”.

Telstra have started watching incoming data onto their sms networks, looking at data source, and banned words. One of the key issues is the bulk sms provider networks are fully integrated into legitimate business usage.


Let’s look at a small, real world scenario. The local doctors appointment reminder system is using a bulk sms service provider. Their admin software has many IO’s now via API’s (Application programming interface). An api is a defined protocol for software package A to communicate with software package B. HotDoc, the website and phone app booking software has an api that lets the medical clinics software talk to it to Hotdoc’s central server to accept appointment bookings.

The medical clinics software is using an sms bulk messaging system, like GlobalSMS, via an api to send the patient a confirmation sms.


Fundamentally though, while spoofing sender identity is easy, it’s not the real risk.

Sms system runs on the Signaling System 7 protocol. There is open source Linux based packages out there for interacting with the SS7 system and reading sms’ or even accepting the sms, and sending something else out, to the recipient.


Think about banking 2 factor authentication using sms. That one time passcode sent via sms is not secure. Our banking system is fucked.


Google “2FA sms banking”.
 
Mr Crudley

Mr Crudley

Glock in your sock
A2P bulk SMS messaging is a pretty common spam and phsihing source these days. The phone companies know it but if they charge on SMS submission then it can be a tough one of them to drop completely especially while getting paid by the A2P provider. If someone violates the A2P provider's T&Cs then they could just block their access to the API or drop their network connection probably via a VPN. Most bulk A2P providers send messages to be received only and many may not provide the option for a response. A URL or another number may be provided in the message body if a response is required.

The A2P providers are not given access to the core signalling interfaces such as SS7, Diameter or HTTP2. Some telcos do provide SMPP links to larger A2P providers but a REST API is just easier to deploy and more familiar to web developers who will be the main ones that will have to make it work. The A2P provider connections are usually aggregated together via an intermediate A2P host and not given direct access to the core.

If the senderID was faked or incorrect then the telco may not care. They would be billing the A2P provider anyhow.

Most telcos have a SMS firewall of some sort that filters on the SS7 point codes, allowed protocols and message dialogue that can be sent and received between circuit switched peer networks which does tighten it up quite a bit but doesn't fix it totally. These traditionally used a static ruleset and can be hard to manage but a problem can be that the peer network of a known peer network may not be trusted but could also be allowed to transit via trusted peer and pass onwards to the destination network.

There are several variants and flavours of SS7 and some are country specific where some part of the protocol is seen as important in some markets but not used in others. It has evolved to be vendor specific as a successful interop between vendor 'x's and vendor 'y's gear has ended up being more of a focus opposed to supporting a certain SS7 flavour. There is usually a whole alot going on in there and SS7 interop is rarely *that* easy.
 
You must log in or register to reply here.
Top