SMS GATEWAY PROTOCOLS AND SERVICES. SMS is a point-to-point store and forward technology with 2 basic services: Short Message Mobile Terminated (SM-MT) – A mobile message routed from a client or an application and delivered to the end user's mobile phone. Short Message Mobile Originated (SM-MO) - the ability of a network to transmit a Short Message sent by a mobile phone. The message can be sent to a phone or to a software application. SMS allows message delivery to handsets either active/in-use or powered off: SMS-Submit - used to submit a short message from a mobile phone (Mobile Station, MS) to a short message service centre (SMSC, SC). SMS-SUBMIT-REPORT is an acknowledgement to the SMS-SUBMIT; a success means that the message was stored (buffered) in the SMSC, a failure means that the message was rejected by the SMSC. SMS-Deliver - is a measure of the percentage of outgoing SMS and MMS messages which are received at their intended destination. While sometimes referring to the status of a single message, SMS delivery usually is a rate of delivered versus intended messages and summarized as an 'SMS Delivery Rate. ' SMS PROTOCOLS SMPP - SMPP (Short Message Peer-to-Peer Protocol) sends SMS (Short Message Service) text messages. SMPP is often referred to as “true SMS” or just “SMS texts.” The SMPP protocol was developed by the telecommunications industry specifically for sending text messages to cell phones: one-to-one or one-to-many. True SMS text messages are routed through cell phone carriers who charge fees for text messaging. The most commonly used versions of SMPP are v3.3, the most widely supported standard, and v3.4, which adds transceiver support (single connections that can send and receive messages). Data exchange may be synchronous, where each peer must wait for a response for each PDU being sent, and asynchronous, where multiple requests can be issued in one go and acknowledged in a skew order by the other peer. SMTP - SMTP (Simple Mail Transfer Protocol) is the protocol used for sending email. SMTP messages are delivered to cell phones in text format with headlines containing numbers and symbols. However, they are actually email messages that are sent to email addresses assigned to each cell phone by the carrier. SMTP messages are routed through the Internet and as with email, there is no charge for delivery. SMTP protocol is sometimes called “email to SMS,” “web to phone” or “standard delivery.” Suppliers sometimes market SMTP messaging as “free text messaging.” HTTP - The HTTP-API allows you to integrate your application (client) to SMSGlobal (vendor) using the HTTP protocol to send SMS. HTTPS is also supported for secure transactions using SSL encryption. The Client issues either a HTTP GET or POST request to the SMSGlobal HTTP interface supplying a list of required parameters. SMSGlobal issues back a HTTP response which indicates the validity of the transaction. The HTTP-API is used for one-way messaging only. Therefore, you need to provide a valid MSISDN as the Sender ID of the message to enable the recipient to respond. SECURITY THE BASICS OF SMS SECURITY The technical specifications for SMS are laid down in ETSI TS 03.48 5 . Certain options in the technical specification, such as the Security Parameter Index (SPI), the Ciphering Key Identifier (KIc), and the Integrity Value (RC/CC/DS), provide specifications for available security parameters. A Redundancy Check (RC), Cryptographic Checksum (CC) or Digital Signature (DS) might also be used for integrity verification of the data. However, these confidentiality and integrity mechanisms are only specified as optional security measures that can be made available, but they are not mandatory requirements for SMS system implementation 6 . The availability of SMS services may also be interrupted by the SMSC. Without proper implementation of these SMS security options, everyday SMS messages transmitted on a network are only protected by the communication network itself such as a GSM network. In practical use, SMS messages are not encrypted by default during transmission. A cyclic redundancy check is provided for SMS information passing across the signalling channel to ensure short messages do not get corrupted. Forward error protection is also incorporated using conventional encoding. Cryptographic protection on confidentiality and integrity is not available for SMS messages. Short Message Service Security - Each short message has a validity period whereby temporary storage is provided by the SMSC if the SMS message cannot be delivered to the intended recipient(s) successfully. The SMSC will delete stored SMS messages if they cannot deliver a message within the validity period. After a message is deleted, the intended recipient(s) will not be able to receive the original message. Usually this can happen if the recipient is not in the SMS coverage area, such as during a business trip out of the country. SMS SECURITY THREATS Understanding the basics of SMS security opens the door to preventing some common security threats in SMS usage and implementation: Message Disclosure - Since encryption is not applied to short message transmission by default, messages could be intercepted and snooped during transmission. In addition, SMS messages are stored as plain text by the SMSC before they are successfully delivered to the intended recipient. These messages could be viewed or amended by users in the SMSC who have access to the messaging system. Spying programs such as FlexiSpy 7 enable intruders to automatically record all incoming and outgoing SMS messages and then upload the logs to a remote server for later viewing and analysis. Spamming - While e-Marketers are using SMS as a legitimate marketing channel, many people have had the inconvenience of receiving SMS spam. The availability of bulk SMS broadcasting utilities makes it easy for virtually everyone to send out mass SMS messages. Flooding / Denial of Service (DoS) Attacks - Flooding or DoS attacks are made possible by sending repeated messages to a target mobile phone, making the victim’s mobile phone inaccessible. Studies also show that weaknesses in the SMS protocol could be exploited to launch a DoS attack on a cellular phone network. For example, it was found that sending 165 text messages a second was enough to disrupt all the cell phones in Manhattan 8 . SMS Phone Crashes - Some vulnerable mobile phones may crash if they receive a particular type of malformed short message. Once a malformed message is received, the infected phone becomes inoperable. Media reports have shown that mobile phones are vulnerable to this type of attack. SMS Viruses - There have been no reports of viruses being attached to short messages, but as mobile phones are getting more powerful and programmable, the potential of viruses being spread through SMS is becoming greater. In addition, the ability of SIM application toolkits that allows applications to access the dialling functions and phone book entries, might make SMS suitable platform for spreading self-replicating virus. SMiShing (SMS Phishing) - SMiShing is a combination of SMS and phishing. Similar to an Internet phishing attack using email, attackers are attempting to fool mobile phone users with bogus text messages . When users are taken in by a bogus text message, they may connect to a website provided in the SMS message, and be tricked into download a malware application into their mobile phones. SMS SECURITY CONSIDERATIONS To avoid security threats to SMS, users are advised to follow the following common precautions: Message Transmission - When sending SMS messages via a web browser, security protection should be in place to prevent message disclosure, such as using Secure Socket Layer (SSL) to secure the transmission. For those applications that require secure transmission of a message, such as mobile banking, end-to-end encryption is advisable between the sender and the recipient. These transactional systems should have the end-to-end security built-in. For person-to-person communications, products such as CryptoSMS 12 are available to help users encrypt SMS communications using strong encryption algorithms. This can help protect against possible SMS interception threats. Storage Protection - In the case of large-scale SMS broadcasts, customer mobile phone contact lists should be kept confidential and properly protected from disclosure. As contact lists are considered personal data, proper protection should be implemented in accordance with privacy laws and regulations. User authentication - User login IDs and passwords should be used to authenticate users on web-based SMS services when sending short messages. User login IDs and passwords should not be disclosed to others. For secure transactions, user authentication should be protected by SSL. Protection of PCs for sending messages - When sending short messages to an SMS gateway via the Internet, it is not advisable to use a public Internet terminal. If desktop utilities are used to send out SMS messages, the PC used to send the message should not be left unattended. SMS is now a very common communication tool. Security protection of SMS messages is not yet that sophisticated and difficult to implement in practice. With the increasing use of SMS for communication and information exchange, care should be taken when sensitive information is transmitted using SMS. Users should be aware that SMS messages might be subject to interception. Solutions such as encrypted SMS should be considered if there is a need to send sensitive information via SMS.