Exploiting Mobile Networks
As some of you might know, almost all major mobile phone manufactures started to incorporate modems inside mobile phones some years ago. These built-in modems, known as GSM modems, are basically the same as any modem. They allow computers to use mobile phones’ hardware to establish data connections over GSM networks.
During the past two days, I’ve been experimenting with my mobile phone and came with neat tricks that I’d like to share.
I was interchanging commands with the GSM modem inside my mobile phone. To do that, I set up a Bluetooth connection between my laptop and my mobile phone (Nokia 6230i), then emulated a serial port connection. If you don’t have Bluetooth, or if for some reason you can’t do this, a serial cable will do.
I used Microsoft HyperTerminal to communicate with my phone. Luckily, today’s mobile phones are smart enough to deal with computers smoothly; the whole didn’t take a minute :)
Next I started trying out few AT or “Attention” commands. These are a subset of a large command set known as The Hayes Commands that are supported by almost all of today’s dialup modems.
For a GSM Modem, there are extended AT commands that are related to other GSM protocols. Some of these deal with the Short Messaging Service (SMS) we're all familiar with.
The thing that got my attention is that a short message can contain much valuable information that we all used to think. An SMS is not just a business card, a ringtone or some text!
A short message can actually contain any kind of binary data together with special headers known as User Data Headers (UDH) to instruct the receiving phone how to deal with the received data!
Another amazing observation is that Short Message Service Centers (SMSCs) do not put any restrictions on the transmitted message content! (Orange Jordan does not, to say the least).
This means that you can transmit whatever data you want inside an SMS message and the SMSC won’t mind as long as you apply to the communication protocol. Of course mobile phones generate UDHs for short messages automatically, so one has to interface a computer to the GSM network to be able to generate his own UDH's.
So what can you do? Well, by modifying the UDHs attached to an SMS, you can trick the receiving mobile phones into doing surprising things. So far I’ve been able to pull the following tricks:
Reading the PDU Messaging Protocol can reveal a number of surprises. The biggest, probably, is that the bit indicating a Control/Data SMS is set by the SMS sender, not by the SMSC. Furthermore, some of these messages (better called “commands”!) are received and executed by mobile phones silently (no message tone, no vibration, and not even a screen light!).
Of course, these tricks were the yield of few hours of experimenting (and needless to say: the price of the messages). I think anyone can obtain more tricks by simply reading and understanding the protocols behind the whole thing to their details.
My target trick is to be able to send people anonymous SMS messages. Although it is impossible to prevent SMSCs from attaching your phone number to the message, it is still relatively easy to embed a certain UDH that can trick the receiver phone not to display your phone number!
As much as it sounds like exploiting the SMS service, this is merely a use of the GSM SMS protocol in its full capacity, unlocking the “hidden features” that our mobile phones do not let us access.
During the past two days, I’ve been experimenting with my mobile phone and came with neat tricks that I’d like to share.
I was interchanging commands with the GSM modem inside my mobile phone. To do that, I set up a Bluetooth connection between my laptop and my mobile phone (Nokia 6230i), then emulated a serial port connection. If you don’t have Bluetooth, or if for some reason you can’t do this, a serial cable will do.
I used Microsoft HyperTerminal to communicate with my phone. Luckily, today’s mobile phones are smart enough to deal with computers smoothly; the whole didn’t take a minute :)
Next I started trying out few AT or “Attention” commands. These are a subset of a large command set known as The Hayes Commands that are supported by almost all of today’s dialup modems.
For a GSM Modem, there are extended AT commands that are related to other GSM protocols. Some of these deal with the Short Messaging Service (SMS) we're all familiar with.
The thing that got my attention is that a short message can contain much valuable information that we all used to think. An SMS is not just a business card, a ringtone or some text!
A short message can actually contain any kind of binary data together with special headers known as User Data Headers (UDH) to instruct the receiving phone how to deal with the received data!
Another amazing observation is that Short Message Service Centers (SMSCs) do not put any restrictions on the transmitted message content! (Orange Jordan does not, to say the least).
This means that you can transmit whatever data you want inside an SMS message and the SMSC won’t mind as long as you apply to the communication protocol. Of course mobile phones generate UDHs for short messages automatically, so one has to interface a computer to the GSM network to be able to generate his own UDH's.
So what can you do? Well, by modifying the UDHs attached to an SMS, you can trick the receiving mobile phones into doing surprising things. So far I’ve been able to pull the following tricks:
- Send false server commands that notify the recipients of the arrival of a number of fax, email and voicemail messages and display sticky icons on their mobile phones. These icons can’t be cleared by the mobile phone itself and the mobile won’t display the SMS sender’s number!
- Send messages that show their content as soon as they are received by other mobile phones.
- Send messages that can delete other messages!!!
Reading the PDU Messaging Protocol can reveal a number of surprises. The biggest, probably, is that the bit indicating a Control/Data SMS is set by the SMS sender, not by the SMSC. Furthermore, some of these messages (better called “commands”!) are received and executed by mobile phones silently (no message tone, no vibration, and not even a screen light!).
Of course, these tricks were the yield of few hours of experimenting (and needless to say: the price of the messages). I think anyone can obtain more tricks by simply reading and understanding the protocols behind the whole thing to their details.
My target trick is to be able to send people anonymous SMS messages. Although it is impossible to prevent SMSCs from attaching your phone number to the message, it is still relatively easy to embed a certain UDH that can trick the receiver phone not to display your phone number!
As much as it sounds like exploiting the SMS service, this is merely a use of the GSM SMS protocol in its full capacity, unlocking the “hidden features” that our mobile phones do not let us access.
18 Response(s) to "Exploiting Mobile Networks"
ma3en said:
hey man, thats pretty cool shit :) maybe you can write a "step by step" guide on how to do those tricks, it would be cool :)
Ghaith said:
Well, I wouldn't mind. Anyone else interested?
Ahmad said:
Nop...
Ghaith said:
Ahmad enta sheklak interested enno ye6la3lak 500 icon 3ala screen el mobile taba3ak?
sharkooseh said:
ghaith ana jad ba7eb sitak bas ino..... u know :P mesh shaghlete el ashya2 ele btoktobha :P
NASER said:
this is just to feel happy about ur sms thing
U KNOW
Ghaith said:
sharkooseh
3ade, wala sha3'lete ana kaman, bas sho bedna nsawwe :P
3ala kol 7al, iza 3ajabek 3ajabek, oo iza ma 3ajabek ... 3ajabek.
Naser
Kan lazem ma te7kele, 3ashan tkoon mofaja2a ;)
Ahmad said:
Well I guess if it wasn't for me you would've received better comments, sorry Dude, but truth got to be told. I'm sure somebody, who's not far from the edge of the world, would be interested. Lori Linstruth!? perhaps... You never know.
The Anonymous One said:
very interesting stuff, keep it up! perhaps even throw in some bluetooth hacking techniques and u'll have my full attention... : )
Ghaith said:
Bluetooth hacking isn't an easy thing to do Anonymous.
First of all, there are many protocols and devices involved in Bluetooth technology, all of which use secure PIN authentication. As far as I know, exploiting the connection at the communication level is almost impossible. This is because the Bluetooth specifications have high security standards.
The hacks we hear about involving Bluetooth are mainly due to bad implementations of Bluetooth protocols, not because those are insecure or exploitable.
On the other hand, exploiting Bluetooth requires direct access to the Bluetooth device hardware which is not an easy thing to setup.
You see, one of the things that made messing with GSM networks easy is that mobile phones provide a easy mean to interface to the network. With Bluetooth, it is different.
Basel said:
Hey, Nice thing you got going here. I can feel your vibe.
Glad you liked my blog. I appreciate it.
In my bookmarks and on my watch. Have a nice day.
Ghaith said:
I've subscribed to your feed too, we do have some common interests.
Thanks for dropping by :)
Lubna said:
interesting but not useful, only to evil deeds maybe:P
the heck some people deserve to be messed around with. tsala 3a ma3en shway:D
Ghaith said:
I actually see it useful in many ways, not necessarily to pick on people but as an expansion to a service we're all using. Having the thought of it, alone, brings many ideas to my mind.
Anyways, in the next few days, I'll post about a new feature that is already implemented and running on this blog. It was inspired and aided by my investigation on GSM networks. I'll show you how I turned the whole thing "useful" :)
Lubna said:
okay, i'm waiting!
by the way i really missed the knowledge i get from your blog:) always interesting for me to read!
Ghaith said:
Thanks, it's a joy to read your comments too :)
Firas said:
Nice!
Tacknaloojya!
So all I have to do is connecting my cell to my PC and then have a serious talk with it? Can it automatically fetch a girl's number for me?
But you have first to know the receiver's number? Can it be done using bluetooth,meaning that any phone in range will be hacked?
You are a bad person, bad!
PS: I have just connected my cell to the PC, but it's not doing all the cool stuff you are talking about! What gives!
Ghaith said:
lol Firas, no, you still have to get the recipient's number on your own. This has nothing to do with Bluetooth :)
Also connecting your mobile phone to your PC isn't enough, you have to "talk" to it, like you said ;)
Write a Comment