Web Excursions 2021-11-10

What is AT&T doing at 1111340002?

  • [Background]

    • From time to time, an attorney will request cellphone activity records from a mobile operator,

      • and those records will show some text messages to and from strange numbers.

    • There is a good chance that the person who uses the phone never sent or saw these messages.

    • And if this happens in the middle of a legal case where cellphone activity is an issue, the resulting confusion can be a source of doubt and error.

  • TL; DR:

    • The driver’s AT&T SIM sent an SMS to 1111340002 to report that the phone had installed an automatic software update.

    • The SMS event had nothing to do with any specific actions by the driver.

    • It took some lab work and a subpoena to AT&T to sort this out.

  • Any outgoing SMS from a phone has two destination numbers (“addresses”):

    • transport layer (“TP”) destination address,

      • the address of the final recipient, which in this case is 1111340002.

      • (Normally, this is the number that the user specifies.)

    • relay layer (“RP”) destination address,

      • the address of the SMSC to use for outgoing routing, which in this case is +14047259800.

      • (Normally, this number is supplied by the SIM.)

  • [Here,] the TP destination number 1111340002 does not fit into any public network numbering plan.

  • For a message to get delivered to that private address, it must go to a particular AT&T SMSC that knows how to route it.

    • The RP destination number, +14047259800, is a normal-looking US number,

      • what a telecom engineer would call an “NANP E.164”.

    • associated with an AT&T “service control point” (a sort of server) that was made by Sun Microsystems.

      • This is most likely a Sun Solaris server running an Oracle SMSC package, physically located in Atlanta, GA.

      • Interestingly, this is not the SMSC number that AT&T uses for normal texting (+13123149810).

      • This is a special SMSC that is used for special applications.

  • The message reports information

    • about the SIM,

    • about the phone, and

    • about the phone that the SIM was previously installed in, and

    • some other stuff that I have not figured out yet.

  • The SMS payload is indicated as being raw binary,

    • not normal SMS text.

    • It has a regular structure,

      • using the same type-length-value (“TLV”) formatting that is used in many telecom protocols.

  • The fact that the message carries information about the previous phone that used the SIM

    • is a strong hint that the SIM itself is sending the message,

    • because only the SIM would “remember” this information as it moves from one phone to another.

  • SIMs can send SMS on their own using a feature called “proactive MO-SMS”.

  • To verify that the the SIM was the source, I used the SIMTrace2 SIM tracing tool.

    • The tracing tool connects to the phone’s SIM tray with a special flat cable.

    • The SIM plugs into the tracing tool.

    • Now the tracing tool sits between the phone and the SIM, and

    • it can record the commands and responses exchanged between them.

  • When does the SIM send this message?

    • When ever the SIM moves to another phone and

    • whenever the firmware is updated in the phone’s baseband processor.

  • After the lab work, deposition of an AT&T employee revealed that the only other trigger is a firmware update of the baseband processor.

    • That is also consistent with the SIM requesting the IMEISV, since the “SV” part means “software version”, and

    • it is updated every time the baseband processor loads new firmware.

  • AT&T says nothing publicly about why their SIMs send these reports,

    • but it seems that they are trying to keep a database of what phones their customers are using, and where.

    • That is obviously useful information for an operator, although it would be nice if they were transparent about it.

  • The point here is that the cellphone literally has a mind of its own, in fact multiple “minds”, including in the SIM.

What is AT&T doing at 1111340002? | Hacker News

boramalper:

Would eSIM improve the state of affairs with respect to privacy?

zinekeller:

eSIMs just remove the physical ISO card package and put it instead into a dedicated chip inside your phone, so in theory and in practice it could do anything a regular SIM can do.


iPhone Apps Can Tell Many Things About You Through the Accelerometer

  • Nearly every modern smartphone is equipped with an accelerometer,

    • which as the name implies, is a sensor that measures acceleration.

  • It’s most commonly used for detecting the device’s orientation.

  • It’s also found many other uses, whether

    • as a game controller in racing games,

    • as a pedometer for counting daily steps, or

    • to detect falls as seen in the Apple Watch.

  • There also have been some research to develop novel accelerometer applications: estimating heart rate, breathing rate, or even as a rudimentary audio recorder using just the accelerometer.

  • Currently, iOS allows any installed app to access accelerometer data without explicit permission from the user.

    • Curious apps might be able to learn a lot about users through the accelerometer and without their knowledge or permission.

iPhone apps can tell many things about you through the accelerometer | Hacker News

wongarsu:

  • The heart rate sensing is done on a smart watch, not a phone, and needs data from the actual heart rate sensor every couple of days.

  • The breathing rate is determined from a phone put on the breast or the abdomen. Not really a threat vector in that form.

  • The audio stuff is incredibly impressive, but it doesn't look like they can reconstruct text with meaningful reliability, it's more about identifying the person or at least the gender of the person on the other end of the line.

  • The location and activity detection scenarios seem the most credible to me, but the for targeted attacks the audio reconstruction might also work. The other two don't really seem credible to me yet, but good to be aware of them.