SMS Forging & Countermeasures

By Sunny Vaghela sunny@techdefence.com

Session Flow
SMS Introduction SMSC Overview SMS Routing in GSM SMSC Implementation SMSC External Interfaces SMS Types CIMD 2.0 MO-MT,AO-MT Routing SMS Spamming SMS Forging Solutions

SMS & SMSC Overview

SMS is a globally accepted wireless service that enables the

transmission of alphanumeric messages between mobile subscribers and external systems such as e-mail, paging and voice mail systems.

SMSC is a server which serves as a main controller for routing of Short messages and for storing and forwarding of SMS.
Reasons why SMSC is required? Routing of SMS Temporary storage Retries Value added service on SMS Interconnect mechanisms for various services like Paging, VMS, E-mail, etc.

SMS Routing in GSM

SMSC Implementation
There are two ways to implement the SMSC server in GSM network.
1. SMSC server itself having Gateway functionality.

2. SMSC server only for storing and forwarding and MSC is having Gateway functionality.

SMSC - 1
In this set up the SMSC server is connected to MSC via ss7 signaling links and talks on MAP layer. The SMSC server itself performs the SMS routing functionality and sends and receives MAP layer messages. Advantage Since the SMSC itself is doing the routing, it becomes very easy to troubleshoot various SMS routing related problems. Disadvantage High number of signaling links required to handle high SMS traffic. Hence it requires costly SS7 cards and stacks in the SMSC server itself.

SMSC - 2
In this set up the SMSC is connected with MSC on TCP/IP links. This set up with Nokia SMSC is only possible with Nokia MSC. It is not supported with other vendors MSC. Advantage: Very less number of TCP/IP links can cater to very high SMS traffic. Disadvantage: The functionality of SMSC server is restricted to only store and forward. It is also very difficult to resolve routing related functionalities as MSC is doing the same.

SMSC External Interfaces

SMS Types
Mobile Originated SMS Mobile Terminated SMS Application Originated SMS Application terminated SMS

MO MT & AO-MT Routing

MO MT & AO-MT Routing

SMS Spamming
In case of MO-MT SMS,Private SMS providers tries to spoof SDCCH Channel. They Spoof MSC Address which will used to authenticate to Nokia SMSC. After getting Access to Nokia SMSC, they will send Thousands spoof SMS from random sender id.

SCCP/SDCCH Address info

0791 7283010010F5 040BC87238880900F1 0000993092516195800AE8329BFD4697D9. 07- Length of the SMSC information (in this case 7 octets) 91 - Type-of-address of the SMSC. (91 means international format of the phone number) 72 83 01 00 10 F5- Service center number(in decimal semi-octets). The length of the phone number is odd (11), so a trailing F has been added to form proper octets. The phone number of this service center is "+27381000015". 04- First octet of this SMS-DELIVER message 0B-Address-Length. Length of the sender number (0B hex = 11 dec) C8-Type-of-address of the sender number 72 38 88 09 00 F1- Sender number (decimal semi-octets), with a trailing F.

SMS Forging
SMS Forging is the Technology which anyone can send SMS from any number of their choice. This is made possible due to AO-MT feature of SMSC.

SMS Forging
When SMS is sent using application, it is routed through international gateways.

Message id of SMS is spoofed at International gateway.

Finally SMS is routed to destination SMS Center number. As there is no authentication system, it is sent to destination number with spoof ID.

SMS Forging

Live Demo

Solution for MO-MT Spam/forging

Rules Based Filtering

Rules_orig_int file is defined for filtering the SMS coming from the Pvt Gateways with the virtual MSC Id. It checks for the IMSI as well as MSISDN. If anything found fishy, it simply reject the message. MNP feature is included for future purpose. If MSISDN & IMSI not found for MO SMS then, $>SMSC3>rules_orig_int <Oaddr>&<Destaddr>&<Rejected>

Solution for AO-MT SMS Spam/forging

Rules Based Filtering

Rules_dest_nat & rules_dest_int checks for the registered application address. If not found,it rejects the SMS. If app address is not registered then, $>SMSC3>rules_dest_nat <appaddr>&<Oaddr>&<rejected>

Thank You