Hackers exploit SMS gateways to text millions of US numbers

Receive any strange SMS text messages recently?

If you live in the US, there’s a small chance you might have received an SMS with the following text in the last few days from someone called ‘j3ws3r on Twitter’:

I’m here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask.

Judging from responses on Twitter, the chances of receiving one of these is currently low, although it’s also possible some phone users either ignored the message or deleted it out of habit.

(The text also begins with a promotional link to controversial YouTuber PewDiePie, a clue to its origins which we’ll get to shortly.)

Of the few recipients who took to Twitter to ask about the message, most seem concerned about how the senders got hold of their mobile number.

In fact, they didn’t have to because according to Wired the whole campaign was generated by writing a script that generates every possible mobile number between 1111111 and 9999999 and bolts these to a list of every US area code.

How were the texts sent?

It seems that a single Unix command was used to send the messages to the email-to-SMS gateways used by all 26 major US carriers, which in theory will have forwarded them to legitimate numbers.

More likely, most of them filtered the messages out but the fact that some got through is the whole point of the campaign’s attempt to raise the issue of how easy it is to abuse these gateways.

And yet SMS gateways are everywhere, used legitimately by organisations to send their users marketing and service information straight to their phones.

It’s a mostly hidden industry that makes a tempting target for hyper-intrusive companies and criminals alike, as well as hackers looking to capitalise on – and warn of – weak security.

According to Simeon Coney of Adaptive Mobile Security, quoted by Wired:

Many of the SMS gateways have broadened their offerings to support scripted interaction, with a range of interface API’s supported.

Showing how this can be abused is intended as a warning of an issue the carriers are allegedly turning a blind eye to, according to the SMS:

I decided to just do this [as] an automated way of warning everyone, and hopefully promoting change from these companies.

Printing PewDiePie

It’s the latest act of a small group of individuals who last December hijacked weakly-secured printers to spew propaganda on behalf of contentious YouTuber, PewDiePie, and to hack vulnerable Google Chromecasts.

Those, too, were intended as warnings, albeit more mainstream ones that too many individuals and organisations connect printers and Chromecasts to the internet without thinking about their security.

Is it even possible to disable SMS gateways? As far as we can tell, short of turning SMS off completely this needs to be done either by talking to the carrier or, possibly, by changing a setting in a carrier’s management app.

On balance, we’d hesitate to do that because it might also disable useful texts such as bank balance alerts and possibly 2FA one-time codes which utilise SMTP-to-SMS gateways.

Undoubtedly, SMS gateways deserve closer attention – the spam text problems confirms this surely – but perhaps not in this way.