3

I don't know much about the SMPP protocol, but I often hear that it is not a secure protocol.

If Alice sends a SMS to Bob, can Eve view what Alice sent to him? If yes, can you give an example on how Eve can accomplish that?

Sir Muffington
  • 1,447
  • 2
  • 9
  • 22
MrHeliose
  • 77
  • 9

1 Answers1

3

SMPP is an application layer protocol and is not intended to offer transport functionality. It is therefore assumed that the underlying network connection will provide reliable data transfer from point to point including packet encryption.

Vulnerabilities that are found in SMPP protocol:

  1. Zero Confidentiality: As there is no encryption standard specified in SMPP, messages sent from A to B travel in plain text.

  2. Man-in-the-middle Attack: The attacker can make independent connections with the victims and relay messages between them, making them believe that they are talking directly to each other when in fact the entire conversation is controlled by the attacker.

  3. Message Tampering: There can be the deliberate altering or adulteration of protocol information. This may lead to text messages being tampered with before they get to the recipients.

  4. No Endpoint Authentication: As there is no confidentiality, attackers can easily compromise the login details of the SMSC. Attacker can authenticate himself as an authenticate user and can misuse the messaging services.

Therefore, if you want to secure SMPP communications you must do so using TLS and both your clients and servers must support it. By introducing Transport Layer Security, Secure SMPP is capable of satisfying security parameters of confidentiality, integrity and authentication.

As a one-sentence answer to your questions: if it uses TLS the SMPP communication secure, if there is no TLS, it is not and anyone with network access may intercept and read it.

Overmind
  • 8,779
  • 3
  • 19
  • 28