Currently, I am writing a paper about GSM sender spoofing and how this flaw is possible with the use of different techniques and attack pattern in the GSM 2G implementation both technically and operationally. The topic is specifically concentrated with spoofing alone and does not include any other GSM 2G related vulnerabilities most likely including interception.
My understanding is that SMS in general from the GSM 2G implementation has two (2) types, MT (outgoing) and MO (incoming). Both supports these forms: text mode and PDU mode, ETSI standards GSM 03.401 and 03.382. The PDU mode supports the crafting of the message, including the sender number in decimal semi-octets and passing it to the carrier via GSM AT command set.
Doing my research, I have seen from a long list of network carriers/providers that the capability of crafting your own alphanumeric senderID is possible. This gave me an assumption that most telecommunication companies around the globe including some in our area even if NOT ALL, are allowing alphanumeric senderID's. Agregators or other bulk providers are able to provide B2B/B2C commercial service. The problem is that even if these agregators like BRAND X for example, mandates a verification and justification process for customers in order to approve a request for alphanumeric senderID, the risk of exploiting this feature to commit fraud is high. There are agregators actually that does not validate the use of this feature and allows anything to be set.
I do not know if the feature is an explicitly "open standard" in the provisioning process of a GSM network and OR it was default OR it has something to do with SMS routing which then the reason why it is, what I understand and experienced so far is that when I try to send a fake message and spoof a senderID of a person coming from an MCC in the same country, once the recipient replied to the message it will be sent directly to the real person routing the message to the local carrier and not using the message-centre defined in the PDU. I would like to believe that this is a normal behavior and how senderID's are used in the routing process.
I would like to gather a public opinion regarding this matter especially those who are working in the network carrier industry and understands the SS7 protocol suite. My questions are:
I believe the GSM standards are governed by ETSI and network carriers are mandated to commit with these standards as well. When it comes to providing the use of alphanumeric senderID's, who is the governing body responsible?
Considering the possibility of abuse, why the feature is available for public use even without the coordination with the telco? I am thinking about a telco to telco trust relationship and explicitly disallowing the use if not coordinated by the mandating body (telco) itself?