SMS spoofing flaw closed as technology marks 20th anniversary

News by Dan Kaplan

Users who send and receive Twitter messages via text message from their mobile phone are vulnerable to a weakness that could allow anyone to post a tweet to their account.

Users who send and receive Twitter messages via text message from their mobile phone are vulnerable to a weakness that could allow anyone to post a tweet to their account.

According to developer and security researcher Jonathan Rudenberg, who discovered the flaw, all the attacker needs to know is the target's phone number and they can spoof the originating address of the text message or the SMS itself.

He said: “Like email, the originating address of [an] SMS cannot be trusted. Many SMS gateways allow the originating address of a message to be set to an arbitrary identifier, including someone else's number.

“The cleanest solution for providers is to use only an SMS short code to receive incoming messages. In most cases, messages to short codes do not leave the [mobile phone] carrier network and can only be sent by subscribers. This removes the ease of spoofing via SMS gateways.”

Rudenberg said that he had received confirmation from both Facebook and Twitter that the issue has been resolved. He suggested that services like Twitter implement challenge-response questions, which, for example, could require the sender to repeat back a ‘short alphanumeric string' to confirm that they are the one who sent the tweet.

This week marked the 20th anniversary of the first text message and according to the Guardian, more than 8 trillion messages were sent last year and around 15 million leave our mobile screens every minute.

Recent research from Cloudmark found that 64 per cent of UK mobile text message users aged 16 and older had received spam texts in the past year, but most are still unsure of how to take appropriate action. It found that 63 per cent of British texters would ignore an unsolicited text message, yet only 10 per cent would actually take the correct action by reporting spam to their carrier and a third (31 per cent) would text ‘STOP'.

Trevor Connell, managing director of Siemens Enterprise Communications, said: “It is interesting that in the middle of all the advances in telecommunication technologies we have seen in the last 40 years, it has been the one that offers the least personalised service that has caught on so fast. Indeed, having the senders face appear next to the SMS message received has only been advanced in the last six years.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews