My first text messaging attack.
I have a dumb phone.
On purpose.
It doesn’t take pictures, it doesn’t send or receive email, and it barely connects to the Internet at all; I’ve only used the feature to download ringtones to it a couple of times. It’s phone-shaped, it’s big enough so that I’m not in danger of accidentally swallowing it, and it’s a boring color. It minds its own business and the only messages I receive on it are once every three to six months, from my lovely and talented webmaster, who occasionally sends me a watchdog reset when I’m sleep-deprived and sitting in very long meetings.
So I was recharging it in the office today while I was doing some work (yeah, yeah, I know), and when I picked it up again, I was surprised to see that there were two text messages on it. They were from a 1-977 number, of course, and they were wonderfully generic:
are u back yet?
text me don’t call
First of all, I got all the SMSing out of my system in the mid-’90s. (It was very helpful once, in the airport in Marseilles, when I had to get a message through to someone in the EU-citizen line and the voice service wasn’t working.) I don’t text message anyone any more. I am so over it. (These youngsters talk about IM and texting as if it were new. Sheesh. They think they invented the Internet, or something.) And secondly, even when I used to do it, I made it a point NOT to use this inane texting shorthand (R U 4 RL?).
So I didn’t fall for it, but I was startled, since I keep such a low profile with my phone that I don’t know how someone finally got hold of the number.
There’s a lot to be said for having ancient, dumb technology. I have a first-generation PalmPilot that I still use as an alarm clock (and I used to use it for playing solitaire in the dark when the kids kept me awake). I’d still be using it to keep my schedule if the display weren’t so fuzzy (or maybe it’s my eyes, hmm). I can rest assured that my electronic gadgets are probably the least attractive hacking targets out there. Of course, that didn’t stop the phone phisher, but it probably stops other kinds of attacks; when you attend security conferences, you just never know who around you is going to try something naughty. I was very gratified to find that one of the pentesters I respect the most has the same phone model that I do.
Some of my users get apologetic when they talk to me about using paper rather than something online, and I reassure them that not everything has to be up-to-the-minute and L33T. Sometimes doing things the old-fashioned way can improve your security. I’m no Luddite, but I’m not afraid to crank up the Victrola when it’s the right solution.
Posted by shrdlu on Saturday, May 19, 2007
(0) Comments • Permalink •
