This was a topic I wasn’t going to cover, being that I think it to be a potentially serious problem (an opinion shared by several people I have discussed it with) however by the time I release this tutorial I have taken every possible step toward alerting the pertinent authorities to this vulnerability and its potential effects. This being said lets continue.
As many of you know, most people with a cell phone have a plan that includes SMS / text messaging. It is possible to send a phone a message via email providing that you know the target phones full 10-digit phone number and their provider. You send an email to the number at the particular providers predetermined address and Voila! The phone gets the message. If you were to send several messages, the phone would receive these as well, and this is where we come into the potential for attack.
Obviously this service being not only free, but also incredibly easy to perform constitutes and even welcomes the potential for abuse. This article will cover how to create such an attack locally (one target) and also discuss the theoretical implications of a wide area attack.
Obviously anonymity is the key.
As you may or may not know there are several ways to send an email anonymously and many programs are available that already have the feature or can be modified to preform this function automatically. By sending the targets phone either a predetermined or even an endless loop of emails, they will receive that same number of text messages. How quickly this attack is initiated seems to be dependent on the provider/service and method used in the attack.
There are many ways to stage an attack, yet the principal is the same.
Create an email account that does not require confirmation for forwarding of messages. I will use Gmail as a working example for the time being. Be sure to create and access this account as anonymously as possible utilizing proxies, war driving combined/w MAC spoofing, public terminals/w attention to cameras, sign-ins and terminal seating placement/arrangement, as well as any other measures you may take to protect your identity. Ideally a combination of methods should be used. Once the account is created, simply set it up to receive as many emails as possible. This can be accomplished by signing up to various daily mailings, alerts, groups, etc. Be creative. Once you are happy with the amount of traffic being generated simply forward the account to the target.
Settings > Forwarding and POP > Forward a copy of incoming mail to >
Obviously enter the targets address in the field provided.
This methods effectiveness is dependent solely on the amount of traffic you can generate in the mail accts inbox and the speed in which it is done.
Create a yahoo account. Again, be sure to create and access this account as anonymously as possible as I previously mentioned. When setting up this account, be sure to add the targets email address as the secondary email address. Log in and go to alerts.yahoo.com or the alerts setup page. At this point your goal is to activate as many alerts as possible to the account so use the alerts you think will yield the most traffic. I have found keyword auction alerts to be particularly effective when using keywords like “of”, “an”, “be”, “ship”, “my” etc. Be sure to set these alerts to “Immediate Delivery” for maximum effect. I would think that 15 to 20 common keywords ought to constitute a significant attack.
Using telnet or another similar means to send an anonymous email is also a possibility however this methods effectiveness hasn’t been as good as the other methods I’ve covered so far. This may have something to do with the SMTP servers I’ve been using in my proof of concept testing so I’m going to cover my ass and say that results will vary. Its very simple to do, and automation of this process is also relatively standard though for general security and convenience reasons I wont be posting code or where to get code for an anonymous mail bomber but I should however comment that there are many existing programs out there that can either be modified or utilized in a particular way as to make them anonymous. (Update – When using reliable SMTP servers, this method is just as effective as the others mentioned.)
Many chat clients offer the option of forwarding IM/PMs to a mobile device. (AIM for example has no confirmation at all… just pop in the number and flood away) Some chat clients however require a confirmation from the cell phone user to activate. While this would seem to be a secure way to ensure that no abuse of the system or attacks as we are speaking about takes place, we seem to have a general lapse in security. Let me explain.
Using yahoo messenger as an example, when setting up the account to forward all messages to a mobile device it requires you know the provider/service of the phone number and also sends the phone a 5-digit numerical confirmation number. This number must be entered into the form for the changes to take place. However, for some strange reason there is no brute forcing protection on this entry field so its only matter of running through 5 numerical characters… a feat that would take a program/w the proper dictionary file no time at whatsoever. In any case, once the confirmation number has been entered, it is simply a matter of sending as many IM/PMs to that ID as possible, and again there are many existing programs out there that can be modified to be used anonymously and effectively or already are and if nothing else are easy enough to create.
Enough methods. If you’ve read any of my other articles you know that there’s more than one way to do any and everything. I’m sure you can use these examples to perform your own proof of concept tests and will come up with a few other methods I didn’t mention or perhaps never thought of. Now let’s move on and discuss the implications of applying this attack to broader targets.
If you live in the North Eastern US (possibly other locations as well) and were trying to use your cell phone during the terrible attacks of 9-11 you may have noticed that the network was busy, and the phones didn’t work the whole time, if at all. This was due to the unusually large volume of calls going out at once which the towers weren’t ready to handle. The towers were flooded, and therefore basically experienced a DDOS attack through legitimate traffic. The same principal would apply theoretically if one were to uses this SMS attack method on a wide scale, say every number in a particular area code and across a variety of providers. (Obviously this is all speculation because I don’t see the point of potentially shutting down cellular service in an area just for a proof of concept.) In any case lets say one were to launch an attack on a scale of that size or larger (several or all area codes in an area ranging from a few towns to the continental United States) of 750,000 messages. This would result in one of the following:
1. Every phone with txt/sms messaging service will receive 750,000 messages.
2. The local cellular towers become overwhelmed by the traffic and emulate a DDOS attack.
The least destructive possibility is that the person initiating the attack would overwhelm the cellular provider’s servers and cause them to fail. Also, obviously if one were to make a list of every possible number in a particular range not all of them will be valid phone numbers and will bounce back with “delivery not sent” messages. Removing potential invalid numbers from the list would prove tedious if not maddening. If one were to use a mail server that allowed forwarding without confirmation to do this (for example Gmail) this person could use this forwarding flaw to their advantage and initiate a completely separate simultaneous attack using the hundreds of thousands of bounce backs to flood another mail server, particular account, etc.
Some interesting bonus info on these types of attacks includes the following:
1. The target may not be able to make any calls while the flooding is taking place
2. The target may be forced to delete each message manually depending on the type of phone they have.
3. The target is charged for every message received over their plan limit, and in some cases when initiated from email it is considered data not txt/sms so there is a completely different (and usually higher) billing rate.
As you can see, these types of attacks can be incredibly destructive and at the least incredibly annoying. If no change is made to the system I foresee these types of attacks becoming more common, especially due to their simplicity.