Detecting so called "silent SMS"


#1

The authorities in Germany (BKA, Verfassungschutz, etc.) are using so called “silent SMS” to detect the location of a cellphone in the networks. This is technically a short message or paging without any text, only provoking the next station to reaching out and the cellphone responding “here I am”. There was/is some OpenSource in progress to detect and prevent this, see https://github.com/darshakframework/darshak/

Will the L5 at least signal such a “silent SMS” to the user so he/she could be aware of and can switch off the device, or is there even a way to instruct the modem to not respond on such spying attacks?


SIMjacker: does it affect Librem 5?
#2

I already asked Purism support about this, and the answer was pretty noncommittal - something handwavy like “if we will be able to catch such messages at the OS level, we will notify the user, but if not - we won’t.”.

I.e. they don’t even know for sure, at which level such messages are usually handled, thus did not investigate this topic a long while before, which is pretty strange, considering their focus on security.


#3

sure. after you establish the fact you also have to establish if you are in control of “that” level and how much of that control is shared between you and “others” …


#4

If the silent SMS feature is in the modem firmware, then there is little that Purism can do. If it requires the OS, then they will run across it in due time.

If the modem & its radio is turned on, then your phone is in contact with near by cell towers, and these cell towers will be able to locate you, even without a silent SMS.


#5

And why our authorities have send out 20k of such silent SMS in the last 12 months?


#6

I dont think that the modem handle this inside w/o telling the driver anything. If Puri.sm will not dig into it, someone/I will do.


#7

I guess silent SMS is implemented in some closed source firmware which will be in the modem. I guess it’s not part of the OS as if it were you would also be able to see some code in android surpressing it to be shown.

So the option would be to use the hardware kill switch for the modem once you don’t want to provide silent sms.


#8

I would also guess that’s the mechanism they use to send “Amber Alerts” and other emergency messages. (I’m sure most everyone in the U.S. remembers the text message they got last year.)


#9

This could be a woefully uninformed question, but…

Is it possible to find out who the coders were for the modem going into the Librem-5 and see if they have enough of a heart to code a Free version of the blob?


#10

I doubt that will happen, but I would not be surprised if people try to reverse engineer the blob. Also, because the modem is on a removable card, a 3rd party can create or even sell their own modem to put in the Librem 5. This might happen if there is enough demand for “specialty modems.”


#11

Seeing as we are guessing

I would guess, no, it’s different. For two reasons:

  1. These emergency messages are broadcast, point-to-multipoint, anonymous destination (whoever is in range of that tower at the time).

  2. Emergency messages are not secret, intended to be not secret, intended to be passed to the host operating system for display as a notification.

(Aside: We had one here a few weeks ago. There were four people in the house at the time with mobile phones. Only one phone displayed a notification. We are still trying to work out what parameters, settings etc. control that - since that is not a really useful hit rate if the emergency were really serious! However we may be using different technology in this country anyway.)

A true “Amber Alert” refers to an earlier SMS-based technology.

I would guess that too. It is definitely something to look into once the basics are squared away.


#12

Looking at the PDF presentation for Darshak, this looks like a really, really hard problem. I’m not surprised that Purism wasn’t able to promise anything. Darshak isn’t able to prevent a silent SMS. It is only able to record that it happened. It requires downgrading the cellular connection to GSM and only works with detailed information about the cellular provider and they only got it to work on one phone model (the Galaxy S3).

I’m frankly glad that Purism isn’t making any promises about this issue, because I want the company to be focused on getting the basic functionality working on the phone and shipping it.


#13

There’s another piece of Android software, SnoopSnitch (https://opensource.srlabs.de/projects/snoopsnitch), which can detect these messages, along with other cellular network nasties (IMSI catchers, empty paging possibly indicative of SS7-based tracking attempts).

At the very core, its requirements are a Qualcomm-based modem (the Gemalto PLS8 is) and a version of the Linux kernel compiled with the “diag” driver active for Qualcomm devices - this is the case for all LineageOS kernels, I don’t expect it to be disabled here, and even if it is, I can just build a new kernel myself.

That’s my first project when my Librem 5 arrives - to get something like this working. It’s already been done before on fairly similar hardware and software, so I know that it’s possible.

Darshak is a strange piece of software. It only seems to work on one particular version of the stock OS on that one device. It seems to rely on some kind of strange AT command passing functionality which doesn’t work on Lineage (I tried it). Additionally, Intel seem to have changed the internal workings of their modems over time. I tried the command sequence (and some variations) on a Zenfone 2 (which has a later, LTE-capable modem) and just could not get any kind of cellular network packet dump.


#14

A dumb question, but why they need a silent sms? If your phone is on you are connected to a cellphone tower so they already know your position


#15

Is there some way to get it working with the BMB181?


#16

This boils down to technical details of protocols. AFAIK, phone by default is not sending lots of stuff to the base station and only receives some things over the passive channel - network metadata, etc. (without replying the station).

To update its location (let the network know, where the device is), the terminal device (phone) may send something like “update location”, and in ordinary circumstances, this happens not so frequently (unless you move ultra-fast and change base stations every few minutes). So, when your phone is on, but you are not active (calling, sending messages, surfing the net), it is still hard to track you.

The purpose of Type 0 messages is to trigger the response from the device to the network when it is required by the tracking system (i.e. as frequently as the tracker wants) so that the network may measure the response strength and locate you.


#17

The German Wikipedia article confirms that a silent SMS is a different thing than “cell assessment” (Funkzellenauswertung).
Losely related topic: Cell of Origin.

So, silent SMS a.k.a. “stealth ping” seems to be comparable to a traceroute. You are not actually interested in a response, but rather in the metadata generated by sending an empty message. Obviously, if SnoopSnitch can detect them, at least some firmware support forwarding/signalling of such empty messages. The wording in the standard seems to indicate they were originally only meant for diagnostic purposes:

A short message type 0 indicates that the ME (Mobile Equipment) must acknowledge receipt of the short message but may discard its contents.

Looking at the numbers of sent tracking SMS, it would certainly be interesting to know about them. But then, not receiving any doesn’t mean nobody tracks your position. It’s surprising to me that silent SMS are used that much, as it would appear simpler (and stealthier) to just query for the current cell. Maybe a stealth SMS is simpler to do, as it doesn’t matter which carrier or if roaming is active?


#18

The GPS and/or WiFi positioning can be much more accurate than just the tower you are connected to or triangulation using multiple towers.


#19

“Silent SMS” does not in any way or form make GPS or WiFi positioning available to the authorities, and there is no way that it could.


#20

Interstingly, the mobile network (or “the cell tower”) doesn’t actually know your position at all times, or even most of the time.
This stems from the historical goal in GSM to use as little power as possible in the handset, which made GSM such a power efficient technology.

Most of the time the network doesn’t actually store which cell a handset uses currently. Most networks only store the “tracking area code” (TAC), which is a conglomerate of some to tens of cells in whose general vicinity the mobile user was last seen.
This means, to reach a user (i. e. let his phone ring), the network has to do paging (sending a request for an answer) on all cells in the tracking area. Only after the user acknowledges the page will he tell the network which cell he is using.

This means, the network pays some inefficiency, so that the phone of the user can sleep longer and doesn’t need to tell the network every cell change. In GSM a phone could actually sleep up to 24 hours without communicationg with the network and still be reached (if it doesn’t move out of the TA).

The so-called “silent SMS” is basically an empty call, in which the network asks the phone to report its serving cell and thus achieve very coarse positioning information.