Return to Level1Techs.com

Heimdallr's Security Howto's {Securing SMS}

security
computersecurity
#1

So insight of a few recent but private discoveries I really feel its time I started raising awareness on security related topics.

@moderators and @wendell feel free to chime in or move my discussion. I was not sure where to place it

Since this is my first post on the topic/potential series I will preface with this is not a full guide or how to on how to make yourself hack proof or anonymous etc. This is not the place for full on tinfoil hate. If you want to do that head over to 0x1Sec or other security forums to do so LOL.

Basically what this will be is a place where I share my finds, maybe some insights or just a cool new app or program that I think is good for anybodies security practices to use.

That being said I could possibly start focusing on OS sec and stuff but for now I will keep it simple and without needlessly making this TLDR lets talk about one of the apps I have been using for a very long time.


As we all know we live in a technological world where we rely on our cellphones and SMS to send messages and do business on every day. However despite some security measures taken by cell phone providers SMS is still an insecure service and sometimes a vulnerability in a secure working environment.

Of course the best practice is to never send secure data via SMS however sometimes I can see the merit in wishing to do so.

Let us talk a little bit about why SMS is insecure. Highlighting the obvious in particular.


In theory SMS messaging is not secure. Why?

* You cannot guarantee who is in possession of the phone.
  • Protocols governing transmission of SMS are not encrypted. (SMPP; SS7; MM4 (interoperator connectivity); EAIF)
    
  • Many channels, providers and operators can sit between the origin of the message and receiving handset, meaning information could be compromised at any point.
    
  • SMS works on a 'store-&-forward' basis, thus information would remain on providers' systems, operators' systems and the handset itself, indefinitely however it can be deleted on the subsequent handset.
    
  • As considerable as Messaging volumes are for both A2P & P2P, the unique identifying factor is freely available, the mobile number is exactly that. Meaning compromised systems would be relatively easy to query for the desired messages.
    

Well whats the solution? Can I still use my number and text securely? The answer is yes albeit a caveat. The application I am about to mention provides end to end encryption however you need both end points to be running the application and in a secure mode obviously. Minus that the app is easy to use and setup.

The application is called signal and I will show you the installation process and some of its menu options etc without revealing too much. I have unveiled the security option of disabling it from blocking my screenshots temporarily for the sake of this post.

Well looks like the app is so secure it starts out in that mode and doesnt let me screenshot registration. I am not complaining this is good. Basically you start it. I asks your phone number to register it with the signal SMS delivery system and then you can invite friends and import your system SMS messages.

Another factor that makes signal secure is that all the code is open source, which means anyone can look at how the app is written that doesn’t mean hackers can break Signal’s encryption (which is virtually uncrackable due to it being AES256–SHA3-512–RSA4096 as the cipher technology), but it does mean security experts and users can check that Signal is maintaining the high privacy standards that it says it is which is good. After all the more eyes trying to spot the bug the higher likelihood of it being found.

SO lets look at the menus. I might have gone in reverse order but ehh It does not matter lol

In the advanced section you turn signal on like I have it done as the default provider for messages and calls which means if the other end does not have signal it will fallback but it will always try the secure transmission first and alert you and give you an invite link for that person if they do not have it. Something I have found useful to spread awareness with.


The appearance section is self explanatory though the plus side to this app is that it offers some dark themes which undoubtably some people will find useful


Tge SMS section allows you to fine tweak the SMS and MMS capability where you can provide delivery reports and insure its compatible with wifi calling. Something which you cannot find in alot of third part messaging apps especially the secure ones. I have to hand a +1 to that seemless integration.


There is a notifcation menu where you can fine tweak the important stuff and the priority. I have mine set to high because it makes me feel better about me sending messages with a hi priority but I am positive it probably does not do much LOL unless you have that service extension. Which is good to see that it can integrate with that level of services. I expect a lot from an application like this to provides a seamless experience


Here is an example of a conversation between myself and my friend mike LOL. THOUGH UHM COUGH I SHOULD HAVE bleeped out more :wink: Other then peering into my private life take a look at the time stamps notice the double check mark and the lock icon. This is the app letting you know it was a secure and successful transmission. Various settings are included that allow you to set disappearing messges… view all media ever sent (EXCEPT disappearing messages) conversation settings allow you to change the background color… the notification settings etc. Reset Secure session destroys all data and restarts a new with a new and differently salter cipher to ensure a clean and secure new session. Attachments can be made however there is a limitation. One at a time as the signal app does need to verify and encrypt each one. This is a limitation I hope they over come in the future.



Chat settings are provided in the settings menu to provide the same experience as the AOSP messenger programs which also features message trimming if you have limited space



The privacy section is fantastic. I like the fact you can set a time out pass phrase you can relay all sms and calls through a signal server (VPN) and you can have screen security block screen shots. Something I just turned back on

So in light of the application tour I would just like to say it gives me comfort to know apps like this have been developed. I contacted signal via email and they gave me a lengthy explanation how they safe guard the data from ever being kept or stolen through their servers. Needless to say I am going to take their word for it given the extensive proof they gave me. In addition to that their security faq is extremely well kept and worth the read.

https://support.whispersystems.org/hc/en-us/sections/202710618-FAQ

If you are convinced here is the link to your favorite device stores

Android:

Apple:

No windows phone support sorry :confused:

So let me know what you think below in the comments :slight_smile: and feel free to ask questions and bring up important points I am sure to have missed

2 Likes

#2

Seems I forgot to mention that registration does not require an account or any personal information being transmitted.

I will leave this second post for things I left out. :slight_smile:

0 Likes

#3

I have written an app like this last year. It’s fun to do though there is something you missed.

SMS isn’t a secure method of communication yes, but it’s better than what you mentioned. Messages are encrypted, though it is not end to end like we would like.

Messages are encrypted on the mobile device, and sent to your provider. They decrypt the message and forward it onto the recipients provider. The recipients provider then encrypts the message again and forwards it onto the recipient. When using SMS, trust is given to the 1-2 providers used in passing the message assuming it’s within the same region. Between countries or large distances is a different story. Communication between the two providers is also encrypted.

So as long as the providers are trustworthy and are not compromised by say a government spying agency or infection, Your messages won’t be viewed by anyone except the recipient and yourself. SMS is actually more secure than single password wireless networks. No one can sniff a text message being sent to the local tower as it is encrypted. It really comes down to how paranoid you are.

My little application I made was fundamentally flawed in it’s implementation however it involved sending RSA public keys over SMS between two devices to initialize a secure channel to pass an AES key. I’m guessing this does a similar thing. Not the most secure solution long term since Quantum processing just passed 72 qubits and RSA’s life is running short but it works. But in all honesty, unless you have to use RSA, it’s honestly better to use other chat apps that offer p2p encryption like facebook assuming you trust their closed source implementation.

But that’s a story for another day.

You are on the right track, this is worth using if you can convince others to use it though what we need is a similar solution to be implemented at an OS level by Google and Apple. We are reaching a point where most people can afford extra meta data messages over text so there is no reason for this not to be implemented as part of the sms protocol on mobile devices.

It’s good to see an application on the app store that works and is open source though. When I was making my application, there was no option.

1 Like