[ISN] Who's Reading Your Cell's Text Messages?

InfoSec News isn at c4i.org
Wed Mar 1 02:48:54 EST 2006


By Paul F. Roberts 
February 27, 2006 

Have you ever hit "Send" on a text message on your mobile phone before
addressing it? Ever wondered where all those lost SMS text messages
go? If so, you might want to speak with Stan Bubrouski, whose cell
phone has been channeling wayward text messages from across the
country for years.

Bubrouski, a computer science major at Northeastern University in
Boston, is the proud owner of 'Null at vtext.com,' an account on the
popular Verizon text messaging service that allows Internet users to
send e-mail and IM messages directly to his cell phone as SMS text

Bubrouski said he was just being clever when he signed up for a
Verizon vText account with the user name 'null,' after his parents
bought him his first mobile phone during his freshman year at
Northeastern, in 2001.

"I've been paying for it ever since," Bubrouski told eWEEK.

Bubrouski's new vText account didn't just hook him up with his
friends, it also opened the door to a blizzard of unsolicited messages
from individuals and companies that, for the last five years, have
unwittingly forwarded reams of data to his phone.

That data has become more sensitive in recent months, as companies
rush to deliver everything from SAT test scores to medical information
and automobile diagnostics to cell phones and PDAs.

Bubrouski's experience, while unusual, could be a sign of growing
pains in the wireless industry, as companies rush to provide wireless
data services, overlooking steps that could secure the data in
transit, according to one security expert.

Bubrouski, who is finishing his senior year at Northeastern, noticed
something strange about his vText account almost immediately after
activating it in 2001.

"I started getting phantom text messages with no callback number and
an empty 'From:' field," Bubrouski wrote.

Initially, the content of the messages was innocuous, he said. "It was
things like 'don't forget to drop the car off at baker's' and to 'call
mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote.

The problem worsened in mid-2002, when Bubrouski's phone began
channeling what he claims were dozens of messages from an e-mail
address used by General Motors' then-new "OnStar" system.

The messages quickly filled up the memory on his cell phone and
contained diagnostic response to tests on a beta version of OnStar.

"Basically, peoples' cars were sending messages to my phone,"  
Bubrouski wrote.

Bubrouski contacted GM and was able to reach someone familiar with the
OnStar tests, and get them to stop the messages after about a week.

"I was happy again - for about two weeks," he wrote.

Next, Bubrouski's phone started receiving SMS sports scores and news
from ESPN, the sports cable network, which had struck up a partnership
with Verizon.

Bubrouski's phone was still getting dozens of messages from the
service, but because the service wasn't public yet, he couldn't find
anyone at Verizon or ESPN who had heard of it and could help him with
his problem.

Bubrouski said he deleted the messages from his phone. He was unable
to provide proof of the OnStar or ESPN messages to eWEEK.

In a pattern that would repeat itself in the years to come, Bubrouski
simply blocked the ESPN e-mail address using a blocking list at
vtext.com and waited for the next stream of messages to hit his phone.

Over time, Bubrouski accumulated a block list of around 15
"offenders"—individuals and companies who were sending him large
volumes of unsolicited information.

Bubrouski theorizes that his choice of user name is the culprit in the
data leaks.

In the world of software design, "Null" is commonly used to represent
"no value" or "0." Developers of mobile services use the "Null"  
address during testing routines, assuming that the messages won't be
sent to anyone.

Verizon may also be substituting "Null" for an invalid or missing "To"  
address in messages sent over Vtext, he said.

Misplaced "Call Mom" messages aren't likely to harm anyone, but by
late 2004, the unsolicited SMS problem exploded, and took on a darker
nature, as mobile data services started popping up all over to take
advantage of a new generation of feature-rich mobile phones, Bubrouski

"I was getting people's grades, order information from unknown
retailers, personal messages with people's credit card numbers [and]
social security numbers," he wrote.

Most of the messages were sent by individuals, but many arrived in
volume from companies like eMbience Inc. of San Diego, Calif., which
unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone.

An eMbience spokeswoman said that Bubrouski's vText account was the
same as an account used by engineers for internal testing.

Once eMbience was informed, in November, that MapQuest test messages
were going to Bubrouski's phone, they changed the address used in
testing for the company's services.

Another company involved was Vocel Inc., also of San Diego, which
develops mobile data services for companies including The Princeton
Review and Random House.

The company's Princeton Review service helps students study for a
variety of standardized tests using their cell phone, including the
SAT, GRE and LSAT, according to Tyler Jensen, vice president of
operations at Vocel.

A new Vocel service that is in testing called "Pill Phone" sends
medication reminders to individuals' cell phones, he said.

Messages from both the Princeton Review Service and Pill Phone were
accidentally sent to Bubrouski's phone because of a flaw in a sharing
feature in the service that allows test results completed on the phone
to automatically be forwarded in SMS or e-mail format to a third party
such as a parent or tutor, he said.

Messages without a "To" address were not delivered by the service.  
However, because of a programming flaw in the client server software,
messages with an invalid address, such as a blank space, were
translated as "Null," and wound up on Bubrouski's phone, Jensen said.

"The fault was entirely ours," he said.

Vocel was informed of the problem by Bubrouski on Feb. 8 and had the
problem fixed by Feb. 10.

Verizon Wireless sues another spammer. Click here to read more.

While the Princeton Review messages that Bubrouski received were from
a service that is in production, the Pill Phone messages were merely
test data generated by Vocel engineers, not actual reminders, he said.

For example, text messages from server at vocel.com told Bubrouski that
"A student at 4105704297 has just completed Princeton Review Word Set
1 with a score of 71%."

A message from pillphone at vocel.com informed him that "A user at
7325894169 has not responded to his/her 01:45 PM dose of
Pronestyl-SR," according to examples of data provided to eWEEK.

Vocel does not channel sensitive data from third-party servers. All
the data that is circulated, such as test scores and medication
information—is entered by the cell phone user, or generated on his or
her phone, Jensen said.

Still, Vocel is taking the incident seriously.

"This was a wake-up call for us from the standpoint of ensuring that
back-end systems are doing verification and checking," he said.

Jensen was loath to criticize Verizon, which provides SMTP gateways
that route data sent from cell phone users and providers like Vocel to
its customers.

However, others said that Bubrouski's experience may be a sign of
larger problems with the way that providers like Verizon are running
their text messaging networks.

SMS users, like e-mail users, rely on the fact that carriers like
Verizon won't accidentally deliver improperly formatted messages, such
as those with no addressee, to an unrelated address, said John
Pescatore, a vice president at Gartner.

"There's no way that this should be happening. No e-mail system would
ever do that," he said.

Verizon should be rejecting messages with improperly formatted
addressee information, not forwarding it to an account, he said.

Bubrouski agrees.

"I'd have to say Verizon is at fault. Sure, service providers make
mistakes, but Verizon shouldn't be accepting messages from no one to
no one," he said.

Verizon declined to comment in detail on Bubrouski's case. However,
Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing
the 'Null' account issue to the company's attention, and said Verizon
is looking into the issue.

The problems that Bubrouski experienced may be particular to Verizon's
network. However, security is a larger problem in text messaging and
e-mail, where trust is assumed between senders and receivers of
message data, said Brian Berger, a vice president of marketing at Wave
Systems Inc. and marketing chair at the TCG (Trusted Computer Group).

TCG is developing specifications for hardware building blocks,
including the TPM (Trusted Platform Module) chip that can secure
transactions from mobile devices.

Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well
as Intel and IBM are participating in the process, and specifications
are expected this Summer, Berger said.

As mobile devices become more powerful and are used to log into secure
networks, and conduct high value transactions, users will need to have
a way to authenticate themselves, manage passwords and prove their
identity using mobile phones, he said.

While Verizon works on the problem, Bubrouski said he's grown
accustomed to his plight as a shepherd for lost text messages.

"I've received thousands of text messages over the past five years,"  
he wrote. "Probably only about 200 or so were actually meant for or
even sent to me directly."

Getting rid of his vText account would stop the stream of unwanted SMS
message problem, but Bubrouski said he enjoys reading the messages he
receives, and blocks companies and individuals when the volume of SMS
they're sending him gets too high.

"I've kind of gotten used to it," he wrote.

More information about the ISN mailing list