6

Currently, I am writing a paper about GSM sender spoofing and how this flaw is possible with the use of different techniques and attack pattern in the GSM 2G implementation both technically and operationally. The topic is specifically concentrated with spoofing alone and does not include any other GSM 2G related vulnerabilities most likely including interception.

My understanding is that SMS in general from the GSM 2G implementation has two (2) types, MT (outgoing) and MO (incoming). Both supports these forms: text mode and PDU mode, ETSI standards GSM 03.401 and 03.382. The PDU mode supports the crafting of the message, including the sender number in decimal semi-octets and passing it to the carrier via GSM AT command set.

Doing my research, I have seen from a long list of network carriers/providers that the capability of crafting your own alphanumeric senderID is possible. This gave me an assumption that most telecommunication companies around the globe including some in our area even if NOT ALL, are allowing alphanumeric senderID's. Agregators or other bulk providers are able to provide B2B/B2C commercial service. The problem is that even if these agregators like BRAND X for example, mandates a verification and justification process for customers in order to approve a request for alphanumeric senderID, the risk of exploiting this feature to commit fraud is high. There are agregators actually that does not validate the use of this feature and allows anything to be set.

I do not know if the feature is an explicitly "open standard" in the provisioning process of a GSM network and OR it was default OR it has something to do with SMS routing which then the reason why it is, what I understand and experienced so far is that when I try to send a fake message and spoof a senderID of a person coming from an MCC in the same country, once the recipient replied to the message it will be sent directly to the real person routing the message to the local carrier and not using the message-centre defined in the PDU. I would like to believe that this is a normal behavior and how senderID's are used in the routing process.

I would like to gather a public opinion regarding this matter especially those who are working in the network carrier industry and understands the SS7 protocol suite. My questions are:

  1. I believe the GSM standards are governed by ETSI and network carriers are mandated to commit with these standards as well. When it comes to providing the use of alphanumeric senderID's, who is the governing body responsible?

  2. Considering the possibility of abuse, why the feature is available for public use even without the coordination with the telco? I am thinking about a telco to telco trust relationship and explicitly disallowing the use if not coordinated by the mandating body (telco) itself?

curiousguy
  • 5,028
  • 3
  • 25
  • 27
John Santos
  • 633
  • 3
  • 9
  • I have to asked this question. Why are doing research on `2G` when the entire industry has moved away from that and in most cases are not even using it in most regions of the county? The only relavance might be is the backwards support that 3G/4G phones have for 2G. You really should limit yourself to a single question. – Ramhound Jun 22 '12 at 14:58
  • @Ramhound. This is because I am located in an area where the support for 2G is still considered up to this time which is currently/strongly accepted. I know about the 3G/4G backward support for it. I was looking for an opinion rather base on other people's experiences. The question is clear though. I need to know the governing body somewhat like an IEEE for the topic which I have posted, and I want to know if someone had an idea relevant to the questions. – John Santos Jun 22 '12 at 15:29
  • Within the US it is the FCC for communications and IEEE for hardware. – GT_Wrecked Aug 24 '12 at 14:04
  • it's not the fcc. they are more into band/frequency regularization. – John Santos Sep 14 '12 at 10:26
  • Your second paragraph is not an accurate understanding of how SMS works. PDU vs. text mode refers only to the way the controlling system (e.g. computer, or smartphone main processor) communicates with the mobile terminal (GSM modem, baseband of a smartphone, etc). The radio communication between the mobile terminal and the carrier equipment is identical regardless of which mode is used. Similarly, AT commands are used for communication between the mobile terminal and the controlling system. They're not used at all on the GSM network itself. – jbg Apr 21 '19 at 21:55

1 Answers1

2

who is the governing body responsible?

I've been out of the industry for a few years, but I'd be surprised if anything has changed since I worked there. There is no formal constraints on the content of the sender id, it's really very much up to the Telco. In the UK Ofcom extended their recommendations to providers,

(you can read the ofcom stuff here - it's mostly about witholding caller information rather than obscuring is falsifying it).

symcbean
  • 18,278
  • 39
  • 73