The old "SMS is dead, don't use it" thread

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

Lob

What could possibly go wrong?
Nov 7, 2020
161
44
As I am waging a bit of a war to eradicate SMS as a method of my company being able to communicate with people, I thought of some advice from @Steve for online accounts and avoiding using SMS as a second factor.

Having enabled this on my Google account many years ago, it amuses me to see that I can avoid using Gmail/Authenticator/whatever as a 2nd factor and choose SMS. Yes, people, if someone clones your SIM and you have not completely removed your number from the account (and I would say accounts, I am too lazy to test it but I am sure many MFA solutions still allow you to fall back to other methods if your primary is not available) then an attacker could fail back to the SMS method and get in.

It's perhaps worthy of a mention so that we all remove phone numbers from our profiles. Where I live, in Switzerland, I would say cloning is harder because you need to show ID to get a SIM - but then again, I was able to take SIMs at my last job that were not activated and I assume some social engineering might have seen me get an active line. That would have been a fun exercise :)
 
For the record, I agree with your point.

However, I think the flaw in your argument is that SMS is NOT dead. Quite the contrary. It is by far, the most used method of text messaging.

This basically goes back to one of @Steve 's points (rants) - as long as there is no underlying security forcing users to have passwords more complex than 12345678, they WILL keep using these. There's no amount of pleading/ranting/raging that will change the behaviour of people who just don't give a cr*p
 
How easy is it to clone a persons SIM? How likely is it that someone would do that to the average person?

SMS is convenient and better than nothing.
 
How easy is it to clone a persons SIM?
You don't need to clone the SIM. You call their service provider, use your social engineering skills and pretend like you need to reset access to your account, then request the account be assigned to a new address, then request a new SIM. Or some shortcut of all that depending on what the service provider allows/supports. Even when they have a note on the file that says "DO NOT EVER DO __x__" you will still have an agent who is "just trying to be helpful" and does something there are explicit rules not to allow to be done.
 
You call their service provider, use your social engineering skills and pretend like you need to reset access to your account
This is often astoundingly easy! A friend had his corporate password expire while he was hospitalized. Five minutes on the phone and he had access to his account without providing anything even remotely unique or secure. All it took was a good story. Which, in THAT case, happened to be true.
 
  • Like
Reactions: PHolder
I'm in the camp that sees traditional telephone phone number / SMS as creating a vulerability to an account. I do not see it as a security enhancement. Sadly, more companies are requiring a phone number on an account.

Could a compromise be achieved by subscribing to one of the sms capable virtual phone number services? Perhaps one of those services might be "less hackable" / scammable?

One advantage to such a service is that the full phone number would not likely be known to a third party. It would not be my commonly advertised phone number.

EDIT: the vid above does play in the U.S.A. There is a similar vid floating about that I'll try to find & reference.

EDIT: `found the vid:
Hacking challenge at DEFCON
 
Last edited:
Didn't NIST officially deprecate the (original) SMS protocol a few years ago? If it was discussed by @Steve in SN as I remember, it'll be in the show notes (and if not, in the transcriptions, where many things are discussed which are not included in the notes). As far as regulations for countries other than the USA, your mileage kilometers per liter may vary.

IIRC, that didn't change much in the nation or world at large as far as SMS was concerned, but it occurred.

In my opinion, all will be wonderful if Apple will support RCS messaging with Google's Messages app. As it is, I (using Android) have to enable cellular data in order to send MMS messages to iOS devices. Text-only messages between iOS and Android are all sent using plaintext SMS. My messages with my Android friends all use RCS messaging, as they have for many months (but they won't have full E2EE until the app updates to enable that for everyone).

I had thought Apple was going to support inter-OS RCS messages, but it makes sense (maybe) that they're waiting for Google to release a final Messages app (if that's the reason for the delay).
 
ASIDE: The phone network is made up of a bunch of servers called CO's (Central Office's) which host one or more exchanges (known in phone parlance as NXX's) because of their position in the NA number plan (you can learn way too much by visiting the NANPA the North American Numbering Plan Adminsitrator.) The North American phone number format is NPA-NXX-SNSN where the parts are the 3 digit NPA (Area Code), the aforementioned 3 digit NXX and a 4 digit subscriber number SNSN. (There are actually plans to add new NPAs and NXXs by adding a single digit to each making for 12 digit phone numbers, but I don't know that they're still planning that urgently as the exhaust situation was mitigated with some of the number portability changes, as well as by the fact that most people no longer have a fax or pager number.)

deprecate the (original) SMS protocol
No, not precisely. SMS messages are special data packets between CO's. They're sent over the network control protocol SS7. SS7 was not secured really at all (and probably still isn't.) This is the reason why SPAM calls and SMSes are easy to have fake phone numbers. Since the network is a collection of peers, there is not really a way to allow new providers to connect to it while enforcing that they don't send you utter junk.

You may be thinking of RCS, which is a Google initiative, that the carriers have mostly ignored for their own greedy reasons.
 
Police agencies and government agencies around the world (presumably; I know it occurs in the US, though it might be restricted by laws or requirements for warrants) and private citizens who are unaware of legality or don't care and set up their own live cellular hotspots can read plaintext messages as they 'go by.'

I think the deprecation by NIST was a departmental deprecation. I don't think it was intended as more unless as a general guideline. I remember going back after several months or years to try to find that and I was unable to find it, but I might have found references to it. I don't remember, likely due to various specific forms of retrograde and anterograde amnesia, which is an unnecessarily-specific way of saying "I forgot" .. more or less.
 
Awesome! That's great! I knew it had been mentioned... and the documentation on NIST explains the Social Engineering and Endpoint Compromise SMS vulnerabilities, too! That document contains updates as of 03/02/2020. It says "[t]his publication is available free of charge from <DOI.org link>."
(included in case the doi.org link is not updated to 02 March 2020, or is newer)

AHA! It's on Github. The comments and additions are handled via the Issues section there.

__________________________________________________________________________________
unrelated amazement, while listing multitudes of related and other code and data:

💡 Oh, wow! The National Institute of Standards and Technology (Department of Commerce) section on Github has 780 repositories. Wow. That's quite a group of wrappers, code, frameworks, implementations, repositories (i.e. the entire Lawrence LIvermore National Laboratory software catalog), modeling languages schemas, data sets (e.g. "Data Set: Assessment of Bias Errors Caused by Texture and Sampling Methods in Diffraction-Based Steel Phase Measurements"), ASM pipelines for benchmarking genome assemblies, tools for Automated Cryptographic Algorithm Validation (How could this help, as opposed to hinder, someone who is assessing cryptographic validity? Would it be worthwhile?), biometrics assessment tools, data set generators for use by other tools, this tool for characterizing the network behavior of IoT Devices (intriguing!), a TrojAI literature review which contains 124 or more links to "curated papers and arXiv articles that are related to Trojan attacks, backdoor attacks, and data poisoning on neural networks and machine learning systems...", an extensible JavaScript framework for analysis of deep zoom images on the web, text document collators and formatters for legal documents, a software scraper, an uncertainty machine, among many other things.

Most of the code is in Python, Java, C++, HTML, and JavaScript, but there's plenty of other code and other things, the broad categories of many of which I referred to above.

😲This is like a goldmine! I had no idea it existed, and I follow a huge list of repositories on github! I'll be lost until the pandemic is in the past! well, maybe.

...and
https://code.gov/ might contain even more (6388 repositories, to be precise), containing data scraped from various open-source repositories (such as github, where code.gov is hosted, if I read the homepage correctly) to glean details about everything relating to Americans and offices and calendars and complaints about education resources and amputee databases, NASA software, a "Docker container for the gophish phishing framework" and a "Cyber Hygiene system and overall documentation/issue tracking" and "a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs." and methods for creating and finding all manner of malware online and related things, and something described thusly: "This repository analyzes viral genomes using Nextstrain to understand how SARS-CoV-2, the virus that is responsible for the COVID-19 pandemic, evolves and spreads. This[...]will (by default) build augur all 50 states + DC + PR using the same parameters and subsampling strategy." and a lot of other SARS-CoV-2 on-web-data-finding tools, an extensible network forensic analysis framework (Enables rapid development of plugins to support the dissection of network packet captures), a tool to track relationships between advisors and advisees used to train, advise, and assist the Afghan government, "a set of project setup and development tools for an awesome engineering team," Guacamole clientless remote desktop gateway, and, well, no matter your profession, hobbies, or interests, I'll bet you can find something relevant in one of these collections of repositories.


You can ALSO find things like what generated this navigable 3D map of mars, from the perspective of the Curiosity rover, using data taken from orbiters and Curiosity: https://accessmars.withgoogle.com/ <--This is pretty nifty!
 
Last edited: