The hacktivists who hijacked thousands of insecure printers to raise awareness of potential vulnerabilities in the world’s internet-connected systems – and to promote PewDiePie's YouTube channel – have struck again.
Twitter user @j3ws3r, alongside @0xGiraffe, has attempted to send text messages to every mobile phone in the United States using a system called SMS gateways, drawing attention to their weakness against hacking. “Companies are very… let’s say stupid, to leave these SMS gateways open to anyone to use,” says @j3ws3r, who refused to reveal his identity, age or location, fearing legal repercussions.
The hackers have taken advantage of SMS gateways, which are often used by businesses to send text messages en masse to users. SMS gateways are often accessed through paid-for online services, but the way they are configured means that a simple PHP command can send an SMS message to any number used by major mobile phone networks.
First indications that the messages are trickling through to users have been posted on Twitter as users tweet at the hacktivist asking how he sent them texts.
So how did they do it? @j3ws3r generated a 32GB list of 7.2 billion potential phone numbers – every possible number in the United States, by writing a script that generates every number from 1111111 to 9999999, then appends it to a list of pre-existing US area codes.
That list was used to send emails using mailx, a Unix command, through SMS gateways, to every potential number generated. In all, the hacktivist sent the message to 26 different email addresses that act as SMS gateways for the major US networks. Users across the United States are receiving text messages encouraging them to either disable SMS email gateways on their phone, or to call their provider and ask them to do so. The hacktivists are sending out messages at a rate of 800 a minute, he claims.
“From my private research a malicious person could easily screw up lots of phones,” the hacktivist says. “Malicious actors could use this to phish or get people to click on links they shouldn’t,” explains @j3ws3r, after showing us a screenshot of a text message claiming to come from an nsa.gov email address, that the hacktivist generated by spoofing the address from which the SMS email was meant to come.
“Many of the SMS gateways have broadened their offerings to support scripted interaction, with a range of interface API’s supported,” says Simeon Coney of AdaptiveMobile Security. “The per-message price points of these gateways also means that the cost barrier to sending high volumes of messages to recipients can be very low – so much so that some legitimate businesses (and some not so legitimate) use it to send messages to mobile users with whom they have no permission to contact. We certainly see many senders programmatically hitting massive numbers of recipients.”
@j3ws3r first found the vulnerability in SMS gateways three years ago, and claims to have raised it with Apple. He says he didn’t point out the issue to networks “since I knew carriers won’t do anything”. He recently revisited the issue, conducted more research and identified the potential risk with SMS gateways. “I decided to just do this,” he says – “an automated way of warning everyone, and hopefully promoting change from these companies.”
It’s important to do so not just because of the phishing risk, the hacktivist says, but also because of the potential to harness SMS gateway vulnerabilities to bring down mobile phone networks at a whim – akin to a distributed denial of service (DDoS) attack. “I’ve done private tests with different phones and carriers and I successfully froze an Android and iPhone with the sheer amount of texts I could send without restriction,” he says.
Others believe that built-in anti-spam measures may prevent many of the messages from arriving on phones. One telecoms source was skeptical that the method would work on a large scale, saying it was likely the messages may only get to a few people.
At the point of writing there has only been a couple of messages sent to either of the hackers on Twitter asking about SMS messages that have been received. Because of the large scale of the phone numbers they're trying to target, their script is likely to take some time to run. However, it could also be a sign of the entire effort failing or being blocked by network operators. @j3ws3r has also tweeted: "Few setbacks with the SMS project. Easily fixable. Just give it time ;)".
Users can also disable SMS gateway use on their phones – or have their provider do so – or most can also block the sender being spoofed, which will stop any further messages being received. However, @j3ws3r says phones on AT&T, the United States’ largest mobile phone network, wouldn’t be able to block mass spoofed messages. “Instead of receiving one text from the spoofed email, for some reason AT&T randomises it,” he says. “If I sent 1,000 messages to an AT&T phone using their gateway you’ll get 1,000 separate messages that you can’t block since they aren’t from one sender.”
But @j3ws3r has no intention of doing that – he just wants to raise awareness of another hole in the tech infrastructure we use every day. “It needs to be more controlled,” he says. “Possibly we should only allow registered users to use the gateways. Currently, malicious people can use it for whatever they want unless it’s controlled and restricted.”
This article was originally published by WIRED UK
