Back around 2000, shortly after The Matrix came out and everyone was buying "those" Nokia phones, I was tasked with writing a couple of applets for a certain UK mobile phone operator.<p>One applet was to design operator logos. The other was to compose ringtones. Both popular things at the time. I was given access to an SMS gateway, a PDF of the Nokia message format and a deadline.<p>The exact UI was phone-dependent, but typically these updates would pop up a confirm box saying "Accept new ringtone?" or something similar. I was surprised to discover that this was triggered by sending an SMS, because there was usually no indication that a message had been received. If you were lucky you would be told where the file had come from, but often the phone just assumed it was an update from the network. On some phones there wasn't even an alert, it would just obey, silently.<p>The message just had to start with "//SCKL", followed by a code, followed by some data. That's it. On first reading I assumed the "header" part would require direct access to the SMS gateway, like the SMTP HELO or similar.<p>Nope. First thing I tried once I had some PoC data was to send a message from my phone directly to a colleague. It worked.<p>Over the course of that project I sent so many of those text messages I still can't get the code //SCKL1581 out of my head. JFTR, sending someone a really awful ringtone (a single diminished fifth or something) is way more annoying than sending them "0" as an operator logo, especially if their phone only has one ringtone.<p><a href="https://www.activexperts.com/sms-component/sms/sckl/" rel="nofollow">https://www.activexperts.com/sms-component/sms/sckl/</a>
I wonder why we haven't seen more exploits targeting SMS PDU mode. Is it the barrier for script kiddies just too high? You would probably need a network tester of some kind to properly try to find exploits.<p>I used to work for a big mobile phone manufacturer and once in a while we would get "secret" fixes to merge into the source. The commit message would be something unrelated and the builds would be pushed silently without much fanfare.<p>I was in charge for the merging, which is how I know this. Some of those fixes were for SMS PDU mode or related to stuff happening when PDUs were received. Not sure how phones handle these messages today, but I assume they follow spec, which means there are certain SMS PDUs which will be reacted on silently in the background (stuff in the PDU body is parsed and applications launched if necessary).<p>I should try to get an old R&S tester from eBay maybe. Could be fun to try to explore this area. Could be a nice security business niche to get into.
<i>Law Enforcement can track a phone with 'silent' SMS messages designed not to alert the user.</i><p>well, that's something i didn't know
It just remind me dirty 'hack' from 2005-2010: if you set format for SMS as "E-Mail" on <i>Siemens C65/C72</i> phone, then send SMS from this <i>Siemens phone</i> to <i>SonyEricsson K210/K750</i> phone -- this SMS on <i>SonyEricsson phone</i> shown as <i>sent from anonymous</i> ;-)
I’ve always wanted to play around with raw SMS PDUs. You could construct MMSes “from scratch”, for example; or send “ephemeral alert” messages that (at least by the standard) don’t get stored in SMS conversation history, just popping up and then disappearing instead.<p>Does anyone know, then, why Twilio and its like don’t let you construct/send raw binary PDUs? If it was a matter of cellular network security, well, that was already out the window once you let people with rooted phones into the network. Why not give virtual “phones” the same capability?
Are there tools available to monitor if I receive a silent SMS?<p>I think it's safe to assume that all popular brands of phone are compromised and exploitable with these SMS PDUs. If I buy a Seeed Rephone open-source DIY kit and use it as a GSM-to-WiFi modem, will that be any more secure? I guess that reverse triangulation from cell towers is still possible to determine my location.
> Setting the PID to 0x64 would be a silent SMS known as a 'type 0' SMS which all handsets receive and must acknowledge without indicating its receipt to the user. As previously mentioned, this has been used by law enforcement to actively 'ping' a handset on a network.<p>I don't like that. Why should a device that I have paid for contain this backdoor? Manufacturers should not forget from whom they get the money.<p>It might be difficult to fix in hardware but if it is handled in software then open source projects like Android could do it and do not reply to silent SMS or display them to the user.
Unrelated to the article, but when I zoomed in to 150%+ in Chrome, this image [1] turned into this image [2]:<p><a href="https://www.contextis.com/media/images/made/media/images/content/RF_box.width-800_800_533_75.jpg" rel="nofollow">https://www.contextis.com/media/images/made/media/images/con...</a><p><a href="https://www.contextis.com/media/images/made/media/images/content/RF_box.width-800_800_533_1.jpg" rel="nofollow">https://www.contextis.com/media/images/made/media/images/con...</a>
i used to use this (in my company) to provision OTP secrets. this was before iphone. after provisioning, OTP requests could be offline. thus no worries about sending an otp over sms.<p>of course the secret was itself encrypted via pre-provisioned Key Encrypting Key.<p>or users could manually enter the wrapped otp secret on the off chance the sms didn’t work. it worked for nokia and blackberry so that covered nearly 100%.<p>the article talks about abuse but in my case quite a useful “backdoor”.