I like to play with phones.
5 years ago my cell phone decided it wanted to play on its own. It did participate in a TV voting – so the provider said and the itemized bill proved. This was for a music show I wouldn’t even watch if somebody paid me for doing so.
The bill showed that my phone sent SMSes every few seconds, faster than a human being would be able to type. At that time I had two mobile phones with the same number. None of them showed any SMSes sent at that time.
The costs amounted to about € 27,- but this was negligible in comparison the opportunity costs of me spending considerable time in preparing documentation for the provider – assuming naively that they would appreciate my input.
My arguments were:
- None of my phones send the SMSes, see attached screenshots of messages sent. On the day in questions I did neither place or receive any calls at all.
- At this evening nobody was in the house who might have sent these SMSes for fun or accidentally. No kids, no drunk friends at a party. I even offered to show them my calendar, entries to my time tracking software or driver’s logbook to prove I was at home.
- Sure – I could have used another phone in addition to the two I had. But if I did not I had to remove the SIM cards from the primary phones and insert them to a hacker phone. For doing that I would have needed to turn the phones off and the other one on – and this should show up in their log files. And I hadn’t turned off the phones for a long time.
Things I didn’t say but figured were obvious:
- We are a business customer with typical bills amounting to hundreds of Euros per month. I did not make sense from a commercial perspective to invest time in researching an issue related to a loss of € 27,-
- I am working in security myself, and I would have more lucrative things to do right now than putting together that documentation. I am friendly patient researcher informing a company about a security issue privately and not describing that on my blog.
It was all in vain and not obvious to them. Their reply was: The bill shows that you sent these SMSs. Period. They claimed to have done technical investigation, yet this took just a few hours.
I appealed to Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) that handles such issues. They said they could not do anything either.
One year later I found a news article about a similar case – calls that allegedly have been made in the middle of the night, every few seconds, and the customer wasn’t believed either. (For German readers: Article from archive.org).
How could my phone(s) have been hacked?
Many how-to’s can be found on the internet on cloning a GSM SIM card when having physical contact to the original, given the proper tools.
Over-the-air cloning was an option for the sophisticated hacker 10 years ago, but at the security conference Blackhat 2013 a German researcher presented his findings about breaking SIM cards protection mechanism. He is quoted with:
Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it.
I had found also found a few hints to a bluetooth-related hack but I had been paranoid enough anyway to never turn on bluetooth for such reasons – and I considered it absurd that some evil hacker was lurking in the fields behind our backyard trying to control my phone over bluetooth … for the sole purpose of placing these votes.
Accidentally, some time later I had access to an itemized phone bill issued by the same provider to a client of mine.
On the other customer’s bill I found different uncommon phone numbers, in this case for other silly games – but the pattern was the same: A small amount of money spent on dubious services compared to the total bill. Isn’t’ that perfect business model? Rip off business customers whose bill is likely to be much higher than the costs of the fraudulent calls and whose lengthy detailed bills would not be checked. I only discovered both incidents as I am quite obsessed with a semi-automated nerdy analysis of phone bills.
Of course I called the phone company again on behalf of my client, and we are again treated as clueless participants in online games who tried to deny the obvious.
I am not such a hardcore phone phreak – so I am still looking for clues.
In the only feasible explanations were:
- Somebody doing that elaborate over-the-air-hack that was – in 2009 – quite leading edge.
- A manipulation of the data in the provider’s data center – that’s why I thought my inquiry could be helpful and I would not be treated as the most stupid phone user or as a liar.
But probably SMS spoofing does not require so elaborate a hack as it seems to be surprisingly easy to make a text message appear to originate from another number. Many sites offer SMS spoofing for pranks and for legitimate marketing. This article describes a scenario involving a malicious user impersonating subscriber with number 1112221111 and explains that
The larger problem is that the subscriber attached to the 1112221111 number is billed for the SMS message and is likely to balk at the incorrect charge.
(Yes. If the customer has a chance to balk.)
Now I am waiting for some offers from lawyers reading this who might want to help me fight for my € 27,- in the future. I promise this is going to be as exciting as a Michael Crichton movie.
I was tempted to add – alluding to my nostalgic images: Those were so much safer! But the history of phone phreaking actually shows that the ancient phone system had suffered from glaring vulnerabilities re-discovered again and again since the 1950s. What did they expect from a system that uses the same line for sending voice and control signals? Kids with perfect pitch, often blind, discovered how to whistle their way to free long-distance calls.
I celebrated my phone hacking anniversary by reading this book I can only give my highest recommendations:
The blurb is apt: Before smartphones and iPads, before the Internet or the personal computer, a misfit group of technophiles, blind teenagers, hippies, and outlaws figured out how to hack the world’s largest machine: the telephone system.