5 Years Anniversary: When My Phone Got Hacked

I like to play with phones.

Phone, 1970s, Austria
This is the phone we inherited when we bought our house. I kept it as it is the same 1970s type of phone I grew up with. I have recently resurrected it and connected it to an analog port of our phone system in this makeshift fashion. Great ringer!

5 years ago my cell phone decided it wanted to play on its own. It did participate in a TV voting – so the provider said and the itemized bill proved. This was for a music show I wouldn’t even watch if somebody paid me for doing so.

The bill showed that my phone sent SMSes every few seconds, faster than a human being would be able to type. At that time I had two mobile phones with the same number. None of them showed any SMSes sent at that time.

The costs amounted to about € 27,- but this was negligible in comparison the opportunity costs of me spending considerable time in preparing documentation for the provider – assuming naively that they would appreciate my input.

My arguments were:

  • None of my phones send the SMSes, see attached screenshots of messages sent. On the day in questions I did neither place or receive any calls at all.
  • At this evening nobody was in the house who might have sent these SMSes for fun or accidentally. No kids, no drunk friends at a party. I even offered to show them my calendar, entries to my time tracking software or driver’s logbook to prove I was at home.
  • Sure – I could have used another phone in addition to the two I had. But if I did not I had to remove the SIM cards from the primary phones and insert them to a hacker phone. For doing that I would have needed to turn the phones off and the other one on – and this should show up in their log files. And I hadn’t turned off the phones for a long time.

Things I didn’t say but figured were obvious:

  •  We are a business customer with typical bills amounting to hundreds of Euros per month. I did not make sense from a commercial perspective to invest time in researching an issue related to a loss of € 27,-
  • I am working in security myself, and I would have more lucrative things to do right now than putting together that documentation. I am friendly patient researcher informing a company about a security issue privately and not describing that on my blog.

It was all in vain and not obvious to them. Their reply was: The bill shows that you sent these SMSs. Period. They claimed to have done technical investigation, yet this took just a few hours.

I appealed to Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) that handles such issues. They said they could not do anything either.

One year later I found a news article about a similar case – calls that allegedly have been made in the middle of the night, every few seconds, and the customer wasn’t believed either. (For German readers: Article from archive.org).

How could my phone(s) have been hacked?

Many how-to’s can be found on the internet on cloning a GSM SIM card when having physical contact to the original, given the proper tools.

Over-the-air cloning was an option for the sophisticated hacker 10 years ago, but at the security conference Blackhat 2013 a German researcher presented his findings about breaking SIM cards protection mechanism. He is quoted with:

Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it.

I had found also found a few hints to a bluetooth-related hack but I had been paranoid enough anyway to never turn on bluetooth for such reasons – and I considered it absurd that  some evil hacker was lurking in the fields behind our backyard trying to control my phone over bluetooth … for the sole purpose of placing these votes.

Accidentally, some time later I had access to an itemized phone bill issued by the same provider to a client of mine.

On the other customer’s bill I found different uncommon phone numbers, in this case for other silly games – but the pattern was the same: A small amount of money spent on dubious services compared to the total bill. Isn’t’ that perfect business model? Rip off business customers whose bill is likely to be much higher than the costs of the fraudulent calls and whose lengthy detailed bills would not be checked. I only discovered both incidents as I am quite obsessed with a semi-automated nerdy analysis of phone bills.

Of course I called the phone company again on behalf of my client, and we are again treated as clueless participants in online games who tried to deny the obvious.

I am not such a hardcore phone phreak – so I am still looking for clues.

In the only feasible explanations were:

  • Somebody doing that elaborate over-the-air-hack that was – in 2009 – quite leading edge.
  • A manipulation of the data in the provider’s data center – that’s why I thought my inquiry could be helpful and I would not be treated as the most stupid phone user or as a liar.

But probably SMS spoofing does not require so elaborate a hack as it seems to be surprisingly easy to make a text message appear to originate from another number. Many sites offer SMS spoofing for pranks and for legitimate marketing. This article describes a scenario involving a malicious user impersonating subscriber with number 1112221111 and explains that

The larger problem is that the subscriber attached to the 1112221111 number is billed for the SMS message and is likely to balk at the incorrect charge.

(Yes. If the customer has a chance to balk.)

Now I am waiting for some offers from lawyers reading this who might want to help me fight for my € 27,- in the future. I promise this is going to be as exciting as a Michael Crichton movie.

I was tempted to add – alluding to my nostalgic images: Those were so much safer! But the history of phone phreaking actually shows that the ancient phone system had suffered from glaring vulnerabilities re-discovered again and again since the 1950s. What did they expect from a system that uses the same line for sending voice and control signals? Kids with perfect pitch, often blind, discovered how to whistle their way to free long-distance calls.

I celebrated my phone hacking anniversary by reading this book I can only give my highest recommendations:

Exploding the Phone:
The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell
by Phil Lapsley.

The blurb is apt: Before smartphones and iPads, before the Internet or the personal computer, a misfit group of technophiles, blind teenagers, hippies, and outlaws figured out how to hack the world’s largest machine: the telephone system.

15 Comments Add yours

  1. Red Cert says:

    I would bet SS7 abuse. Someone trying to manipulate the vote using your number as sender. 5 years ago this would have been difficult to trace in most mobile operators.

    1. elkement says:

      I wrote the post in 2014 – it happened 9 years ago! Yeah, I read about SS7 abuse much later…

  2. I didn’t like this post … because it scared me. When an IT professional like you can’t get the phone company to listen … who could? Crazy story. Also … I agree with Maurice that the new Gravatar is very nice. D

    1. elkement says:

      One mistake I probably made was: I played by the rules and talked only to my “account manager”. These people are responsible for lots of small business customers – I guess my background did not really matter, they just need to resolve their “cases” as quickly as possible and meet their numbers. Not that I did not understand that…
      Or probably other customer who really have made calls use all kinds of hilarious excuses – so “I am a security expert, please believe me…” sounded probably pathetic.

      I had another equally weird encounter with another phone company (no hacking, just annoyance… probably I will someday turn that into a blog post as well) and in that case I could have used some internal connections. But I never do this – it feels like undercover research!

      1. It’s funny you should comment on customer service folks … you should listen to this story I heard on National Public Radio this morning … (sorry for the long link) ..
        http://www.npr.org/blogs/alltechconsidered/2014/07/15/331681041/comcast-embarrassed-by-the-service-call-making-internet-rounds … I got a headache just listening to it. D

        1. elkement says:

          Hahaha – thanks for the link! I consider myself a very patient customer but I admit after a call like this going on for minutes I would definitely have lost it.
          I think I have to promote my other kafkaesque phone company experience to a blog post for entertainment, too. It was different from this call but I think I was as annoyed. The thing that freaked me out was having to tell the same complaint (that turned out to be true at the end, as they admitted after that conversation going on for weeks) again and again to all kinds of new “support personnel on duty” – and I got replies and suggestions there were to good to be made up.

          I have been stating since years that “customer service”, “help desk”, and “hotlines” provided by large companies (no matter if it is telcos, banks, airlines, big vendors of IT equipment whatever…basically any service you are unfortunately dependent on and where you can just pick from a few similar options) have become more of a nightmare than the worst satirical caricature of a governmental agency … that has people line up forever in queues end tells them in the end “No, you should have filled in the pink form instead of the yellow one, and queue again at the other counter”. Governmental agencies have become quite “customer-oriented” actually

    2. elkement says:

      … and thanks for clicking the Like button though :-)

  3. M. Hatzel says:

    Timely post. I’ve been playing with my android smart phone… glad to know I’m not the only one avoiding blue tooth (lol). I’m writing this on the phone now so keeping it short. Sometimes I can’t get comments to post… lots of trouble on Pairodox site lately. I will make it a priority to do some proper blogging when I get back to a computer.

    1. elkement says:

      Thanks, Michelle – I hope you are on vacation and enjoy it!!
      I was offline for some days, too, and with the browser on my stone-age smart phone I cannot use most social networking sites.

  4. I wonder just how many people had the same issue and, like you, found it was not really practical to address it and get the charges reversed.
    In a related note, while I am no great lover of any of the wireless providers here as they charge far too much for their services, I will say that the customer support line for my provider (Bell) is excellent. They do listen and are helpful. That’s certainly not the case for all of them. Now, as for pricing. Ugh! My monthly bill, which includes 6 cellphones, 20 Meg fibre and digital TV is over $500 Canadian. No discounts whatsoever because I have a lot of stuff. In the past year the CRTC (our federal regulatory body) banned mandatory 3-year contracts and the providers responded, predictably, bu jacking up the prices. See here:
    Bottom line: for an LTE phone with voice, text and just 1 gig per month of data (I typically use 4 and pay for 6) you’d pay $75 plus up front costs for 2 years. For a business I suppost that’s fine, but for personal use it’s excessive.
    But, Elke, the carriers know we are so dependent on our mobiles here we’ll pay anyway, so they don’t care.
    Lastly, about the book. While I have not read the book I am familiar with the story as I read a related article on it somewhere else. Fascinating to be sure.
    I have not been reading much lately as I’ve been concentrating on my new gig. I will maybe blog on it later in August but you can see a bit more (it’s based on what you already saw on facebook) here. http://imgur.com/a/Fw6eG

    1. Oh, two more things: (1) as always enjoyed your post and (2) Loved the new image. You are so lucky–you live in one of the most beautiful places on earth.

    2. elkement says:

      Thanks, Maurice! Yes, I also believe that this fraud or prank or whatever had been more widespread and customers most likely did not notice. In that year I have detected much more (non-hacking) errors in the phone bills and had objected to them successfully – like being charged double for some services …

      Up front costs like that sound familiar as well as the ongoing tug war between regulator and phone companies. Here (in our small European countries) roaming costs were most annoying, mainly for people spending holidays abroad. After the providers have been forced to lower them the costs for calling from home to other countries have been increased silently.

      I am looking forward to your next posts! Re books I have totally zoomed in on hacking and hacker culture.

      1. I suspect that if we checked around we’d find that there’s a lot more “monkey business” going on with our digital lives than we suspect.
        By the way, I love your new gravatar. It think it effectively captures the two sides of you that come through in your writing: 1–the serious professional side that’s focused on physics, renewable energy and security and 2–the combination of playfulness merged with intellectual curiosity that results in your subversive side. I noticed also that you have updated your gravatar to include a background image and liked the effect to the point that I became a copycat and did the same.

        1. elkement says:

          Thanks again! Interesting how such an “accidental snapshot” seems to capture one’s true self …
          I have changed the Gravatar’s background last year (so this is “last year’s lake in the mountains”) – I had already forgotten that I did that; thanks for the reminder :-)

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.