Richard Brooks <[email protected]> wrote: > If anyone with an understanding > of SMS, SMS web interfaces, and/or related security issues > would be willing to point me in the right direction > (or discuss potential issues) I (and by extension > they) would be grateful.
SMS is basically insecure. Others in the thread have given good advice, which you should heed, but here's my take on it in case a slightly different perspective is also useful. The basic problem is that all SMS messages go through servers which may be monitored. In many countries the service providers are under direct government control. Anywhere else, it may be possible for government to acquire access with some combination of appeals to patriotism, legal (or in some places extra-legal) threats, and promises of rewards such as government contracts, There are plenty of examples of actual monitoring. During the SARS scare, people in Beijing were arrested for "spreading rumors" via SMS. In the US, the NSA has monitoring equipment in AT&T offices: https://www.eff.org/nsa/hepting It gets worse. The US has a Communications Assistance to Law Enforcement Act (CALEA) that basically makes it illegal for anyone to sell phone switches without wiretap capability in the US. As a result nearly all such switches have the capability built in. That includes the switches that various nasty regimes buy. Then there are a whole range of other attacks possible against phone systems. Trojan horse programs can take over a smartphone to record things like passwords or even use the phone's mike to bug whatever room the phone is in. Bogus cell phone towers (in the back of a KGB, NSA or whoever van) can locate a phone with great accuracy. Those are just two that have been reported as commercially available; there are likely more I don't know about. -- Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
