Detection of Silent (Stealth) SMS Type 0 [$115 awarded] #69
Comments
|
very good! i bought it also two years ago :) but on my shitty HTC Wildfire nothing ever worked. |
|
@SecUpwN I will push some commits tomorrow that address some more existing bugs but also implements a Sms broadcast receiver to check for Class 0 messages, I just need to finish the preferences and modify the way the fragments are implemented to make it easier to show and hide individual pages in the app so if a Class 0 message is intercepted it can display information and notify of the threat. |
|
Thank you so much, @xLaMbChOpSx - I don't know what this project would be without you! 👍 |
|
If this is implemented, I can actually test this in real network environment. |
|
What exactly do you mean by "real network environment", @mr1smith? |
|
This means that I'll be able to test if this (detection of silent sms's for location tracking) works in commercial gsm network. |
|
I will be pushing a commit for this and other stuff tomorrow after my exam, I have another next Wednesday then I will be back. |
|
Do I smell awesome times ahead? THANK YOU, @xLaMbChOpSx! |
|
@xLaMbChOpSx I'm not going to be able to sleep until then! |
|
Yet again another very awesome WIP-Release @xLaMbChOpSx! The new Silent SMS Detection feature has been implemented just fine, only two things that I noticed when testing the feature through a self-sent Silent SMS using HushSMS:
Other than that: Awesome work! @E3V3A, have you been testing this feature yet? Anything to add? |
|
@SecUpwN I haven't, we need to post instructions for people how to test for Silent SMS! I'll download and test very soon. |
|
@E3V3A, I'm about to create an official User Guide for AIMSICD with Screenshots within our GitHub WIKI. Please stay tuned, this may take a few days. But testing for Silent SMS is really simple: Just download HushSMS and send yourself a Class-0 SMS. The latest WIP-Release will immediately display the alert. |
|
OK, first impressions. Dection of standard class-0 sms's works, as stated above this can be tested with tools like HushSMS. Notification about such messages is always displayed by phone, even without AIMSICD and actual implemenetation depends on phone software. However, detection of real "silent sms" messages which are used for location tracking (similar thing is implemented in HushSMS as sms ping, type0) is not working. |
|
@E3V3A, check your PMs on XDA, please. 😈 |
|
A short message type 0 indicates that the ME must acknowledge receipt of the short message but may discard its contents. http://www.etsi.org/deliver/etsi_gts/03/0340/05.03.00_60/gsmts_0340v050300p.pdf Here is the document explaining silent sms dos attack: http://mo.co.za/open/silentdos.pdf I assume that the author of HushSMS could help in differentiating class 0 (flash sms) and type 0 (silent sms) messages. |
|
SMS Class: Additional MT SMS Functionality: TS.11 Device Field and Lab Test Guidelines v.11.7: |
|
@mr1smith Thanks for links. I remember some of those, but it was well over 2 years ago I last looked at those. I'll need to look again, because from what you say above, "class 0" is really just the flash SMS we were used to from Nokia days. What we need to look for, are the other ones. |
|
here is a PDU Converter :) maybe useful sometimes... http://rednaxela.net/pdu.php |
|
I think I already found the way to detect type 0 messages but I'm currently having problems with compiling the project with android studio. class 0 detection should be replaced with type 0 detection, each phone is already processing and notifying user about class 0 messages. |
|
@mr1smith Can you be more specific, regarding the compilation problems, so that perhaps @xLaMbChOpSx or someone else could help you? |
|
I was able to resolve compilation problems which were related to Pro Guard. Anyway, type 0 sms messages can be identified by Protocol Identifier (TP-PID) value (0x40 - bit 7: 0, bit 6: 1, bits 5-0: 0). However, detection seems to be impossible in a way we are currently trying to accomplish this since handling of silent sms's is done in baseband layer and these messages are never reaching application level at all. Updating existing class 0 check:
with
will still not detect silent sms's. I already tested this... |
|
I took a look at |
|
@mr1smith yes, exactly it doesn't even reach the Application Processor. With a SIM-Proxy we could catch the signal if it reaches the SIM-Card. That is for example when a OTA Messages is send as WAP-Push. So its possible to install software on the SIM-Card, silently. But it would be better if we could catch it in the Baseband of cause :) so we are at the same point, like we are with AT Commands. |
|
Really frustrating if this is really the case :( |
|
i am just thinking now... if we could get some code working in the baseband that copys all incoming signals we need to the AP, we would be lucky. I know most Radios work with shared memory. But who can programm on that kind of Realtime-OS? I was also looking for some kind of open-source that would work on the Radio-hardware. But nobody could do it, as far as i saw it... |
|
If you pass the -v time argument to logcat, it will include a timestamp for each line. If you process that timestamp, you have some options for dealing with this issue, such as saving the timestamps of SMS events that have already been logged/alerted, simply ignoring anything older than 5 seconds, etc. Maybe there is also an option to skip printing historical logs and only output new ones as they come, but I didn't see it. |
|
Hi @scintill, nice to see you back. I think the time stamp is the best idea, which is why we already have a timestamp in the DB in the first place... |
|
Yea I was thinking that about using the timestamp but will the timestamp remain the same for each line everytime we access the buffer? This will also help with other detection methods like if we recieve an sms acknowledged in buffer and didn't receive in the sms broadcast receiver then it would indicate some sort of silent sms. If the logcat timestamp remains the same for each line everytime we access buffer then this method would be possible. At the moment I programmatically create one when sms spotted in logcat. |
|
@E3V3A, I know this sounds like I'm a freak, but would you actually please take some quality time to re-read this whole Issue and find out what needs to be implemented by @banjaxbanjo to actually close it as fixed or at least know where we need to continue with this (other than #491 for testing everything)? |
|
Detection works in some cases, but (not for me) and will surely need to be re-tested after new DB structure #215 has been put in place. |
|
@SecUpwN So far logcat sms detection is working from what basebands (phones) I have but is impossible for me to create a one for all sms detection unless I had a crap load of different baseband logs with incoming sms. My galaxy S5 detects wap/mwi/type0 and sony xperia detects mwi/wap. As for automatic testing I wouldn't know where to find a web service like that. |
|
The detection strings as shown in the Database Viewer are truncated instead of wrapped. Hard to tell what works... |
|
@E3V3A these will also be removed in new update as we are going with a pre populated db so I wont be loading from json file. I think I might also add a boolean in database table to tell which string works in the database. This will come in useful for identifying with strings work on what phones. |
|
Actually, being able to load these strings from a json file, may not be such a bad idea, especially for debugging. Also, I'm a little concerned how |
|
@E3V3A Their currently is no issue with single quotes with the pre-populated database and when inserting a new detection string in the AdvancedUserActivity.java but I have tested and if you enter " a double quote it will cause an error. I haven't come across a detection string yet that has a double quote. I've added a little check on the insert function to alert advanced users if (edit_adv_user_det.getText().toString().contains("\""))
{
Toast.makeText(getApplicationContext(), "String not added\n \" double quote will cause db error", Toast.LENGTH_SHORT).show();
}Here is the DB function that inserts the string public boolean insertNewDetectionString(ContentValues newstring) {
// First check that string not in DB
String check4String = String.format("SELECT * FROM %s WHERE %s = \"%s\"",
DBTableColumnIds.DETECTION_STRINGS_TABLE_NAME,
DBTableColumnIds.DETECTION_STRINGS_LOGCAT_STRING,
DatabaseUtils.sqlEscapeString(newstring.get(DBTableColumnIds.DETECTION_STRINGS_LOGCAT_STRING).toString()));
Cursor cursor = mDb.rawQuery(check4String, null);
int count = cursor.getCount();
cursor.close();
if (count > 0) {
Log.i(TAG, "Detection String already in Database");
} else {
try {
mDb.insert(DBTableColumnIds.DETECTION_STRINGS_TABLE_NAME, null, newstring);
Log.i(TAG, "Detection String Added");
return true;
} catch (Exception ee) {
Log.i(TAG, "Detection String failed");
}
}
return false;
} |
|
@banjaxbanjo Ok then there is a problem with the strings you use. I don't get any app detection, but with logcat they are there. I'm using these strings: and detecting with: # logcat -v time -b radio -b main |grep "Received short message type 0"
07-07 00:25:43.889 D/GsmSmsDispatcher( 1234): Received short message type 0, Don't display or store it. Send Ack(b) # logcat -b radio -b main |grep "SMS_ACKNOWLEDGE true 0"
D/RILJ ( 1234): [66918]> SMS_ACKNOWLEDGE true 0And sending a |
|
@E3V3A did you enter this in the detection activity Received short message type 0 And set type0 from drop down menu SMS_ACKNOWLEDGE true 0 is going to give you a crap load of popups. And its pretty strange that its not detecting since the strings are char for char the same. Did this work before the timestamp PR? Also one thing I noticed and I had the same issue is delete AIMSICD from superuser and let it ask again for root when enabling sms detection this will probably solve your issue and any time I install a new dev I get this problem. 99% sure this is your issue |
|
@banjaxbanjo No it doesn't work. (And I didn't try before timestamp thing.) I tried:
Nothing! EDIT! Ooopah!! Restarting app and repeating (7-8) indeed results in detection! Fantastic! A few problems noted: a) Is there any timeout or time limit here? What is the minimum waiting time, to ensure detection? b) There seem to be some app caching taking place, as I need to restart app AND toggling SMS Detection after adding a new string. A few UX/UI things:
|
|
@E3V3A hmm when I think of it the detection strings are loaded on app start so that would explain why it didn't detect new string before restart, I will look into it soon. updateSms strings are loaded when SmsDetector is started
Still weird that the others strings are not detecting tho I will put in more _Log.i()_ to output events for you also when tackling this. |
|
I think this is the problem: String MODE = "logcat -v time -b radio\n";// defaultThe We need to keep an annotation about all our strings and from what buffer they can be found in. |
|
@E3V3A That's new I always thought all this low level baseband radio data would come from the logcat radio. I guess thats the problem can you email an edited version of your logcat EVA and send a wap wmi and a type 0 sms. (remove personal data) just need to lines from start of incomming sms to the end of the last bit of useful sms data.
I really don't want to use a filter because the more baseband/phones add the bigger and more complicated the filter will become plus we will probably miss important data like the senders number etc, also where ye having issues before with users not having grep installed?. What you think?
There isn't really a time limit soon as the string is seen in log it alerts user. Will I add an option in prefs menu for verbose logging
Detection Strings are loaded when SmsDetector is called public SmsDetector(Context newcontext){
tContext = newcontext;
dbacess = new AIMSICDDbAdapter(newcontext);//SmsDetectionDbAccess(newcontext);
//# dbacess.open();
ArrayList<AdvanceUserItems> silent_string = dbacess.getDetectionStrings();//<--loaded strings
//# dbacess.close();
SILENT_ONLY_TAGS = new String[silent_string.size()];
for(int x = 0;x <silent_string.size();x++)
{
SILENT_ONLY_TAGS[x] = silent_string.get(x).getDetection_string()+"#"+silent_string.get(x).getDetection_type();
}
prefs = newcontext.getSharedPreferences(AimsicdService.SHARED_PREFERENCES_BASENAME, 0);
} |
|
Added main buffer in 908ed98. |
|
After the great HackTeam leak, it is apparent that it is very important that we detect various WAP push messages. Here they write: And here: |
|
@E3V3A Some stuff here also https://github.com/hackedteam/fuzzer-android |
|
@banjaxbanjo
No you're missing the point. How many times a minute, is the |
|
@E3V3A ah I see, I continously read and keep buffer open if I had to put a timer to check every x seconds minutes we would prob miss data and Id say the average users phone wouldn't have the high logging like you have set eva. It's not very cpu intensive from short test Ive done. What you think? |
|
This thread is getting too long! PLEASE CONTINUE DISCUSSION HERE! |
SecUpwN
changed the title
SecUpwN
changed the title
and others
Law enforcement agencies are very often sending out so-called "silent SMS" (see this German article) which do not show up on a display of a target device, nor trigger any acoustical signal when received. But when they are delivered they generate a delivery receipt and, most importantly, are recorded in a data retention database together with the location of a mobile phone which received it. There's no need for an IMSI-Catcher then. Reliable detection of silent SMS will be crucial to the usefulness of AIMSICD.
I have already contacted Michael (@SilentServices), the developer of the useful tool called HushSMS, which also enables its users to send out different types of SMS (including type Class 0, but without the location request). Check out his company Silent Services. I have bought his app a long time ago and am hoping he'll contribute some code snippets for detection of such SMS. Stay tuned.
The $115 bounty on this issue has been claimed at Bountysource.
The text was updated successfully, but these errors were encountered: