SMS or Short Message Services have quickly become an in¬tegral part of our life. SMS are nowadays used by anyone and for almost anything (servers sending SNMP alerts, banks sending info on account transaction, simple conversa¬tion ... ). Now that we have started taking steps to make email se¬cure and encrypted, it's also high time that we realized that Sniffing (capturing) or Spoofing (forging) SMSs is even simpler than Sniffing and Spoofing emails. In this story we will try to identify the threats to the SMS world.
Are they real or not and at the same time identify some tools using which one can safeguard their SMS inbox from such threats .

How Real is SMS Spoofing

It is very real. All you require is a PDA which runs Palm as. Yes, we know Palm has stopped shipping Palma, so somebody with an old Palm PDA would be able to do spoofing. All it should have is the capability of spoofing SMS over an IR link. The next thing that's require is a GSM phone with IR and modem support.
Now all you have to do is download a freely available open¬source software called SMSSpoof from, Once you have downloadd it, unzip and install the .prc file into your PDA us¬ingHotSync or what-way you would like to install.
Start the application after you've installed it. You will be asked to fill in: the number of Spoofed senders. number of re¬cipients, actual message, and the number of an SMS Center or SMSC which supports EMIIUCP-compatible. This capability is nothing but the capability of sending SMS over GSM dialup. Now here's the good news: none of the SMSC in India today have this vulnerable capability.
We tried sending Spoofed SMSs from multiple SMSCs of Vodafone, Airtel, and BPL but none worked. Now the bad news: you can use any SMSC across the globe which supports EMIIUCP for sending spoofed SMSs.
The method which we just mentioned to send Spoofed SMS looks pretty geeky and you will require quite a few things to be able to do so. There are many websites on the Internet which let you send spoofed SMS without the need of any technical knowhow. We won't of course delve into the details of such sites, because that's not the intent. What we want to tell you is that sending spoofed SMSs is easier than spoof¬ing emails, and could become a potential security threat in the future, so you need to be more careful. In the remaining article, we'll focus on how to protect yourself against SMS based security threats.

Prevention: SMS Encryption
Till date there is no system that can protect you against Spoofed SMS and tell you whether the SMS you are receiving is from a legitimate sender or not. So to protect against such threats the only solution is to use SMS en¬cryption. There are quite a few apps avail¬able for quite a few smart phones. A simple Google search with keywords such as 'SMS + encryption + your-phone-vendor-name' can give you a list of apps which you can use to encrypt SMS.

But the drawback with such systems is that both ends (the sender and the receiver of the SMS) should have the same software running to encrypt and decrypt the SMS, which also means that both should have a Block Mode: Block from matched rule lISt Disable to block S~lS Block all Block NOT from phone book similar phone or phones which support the same application.

Prevention: SMSSpam fIlter
The next most important application that one would like to in¬stall first on his/her mobile is a SMSSpam filter. Well, these SPAMFilters are not so sophisticated and can only work in a few ways such as, like defining a list of numbers you want to ban or create a white list of numbers you want to allow. The latter will allow all numbers in your phone book. The third form of filter is word or phrase blocking, where you can define a few key¬words which if found in the SMS will be blocked and sent to vault. We are yet to see SMSSpam filters that can use a global
black or white list and content filter.