SMS Security 101

[browndrf]

Hello there, I'm quite new to SMS.

I'm planning to develop a client-server system., a cell phone as the client and a PC as the server. I have some critical data to exchange. I was wondering whether SMS would be a secure option ?

I come from the IP world and the following are typically on the top of our security threat list

1) man in the middle attack
2) server spoofing
3) packet sniffing
5) Denial of service (DOS)

are any of these valid for SMS ?
What are all the common threats in SMS space ?

If I want to send unencrypted data over SMS, what are all the precautions I should take ?

thanks

[petrib]

Depends on how secure you want things to be... How paranoid you are...

Anyone sitting between your phone and the nearest cell tower you are communicating with can capture the traffic with a suitable receiver.

That's not likely to happen, and if you're moving, even more unlikely.

Cellular trafic is generally encrypted, but network encryption is, as far as I'm aware, breakable (especially in the US where weaker encryption algorithms must be used).

It is harder to break into the operator's core network (a cellular network is wireless only between the terminal/phone and the base station, and the rest is fiber optics or copper between servers and other network elements the network consists of).

The operator's network systems could be compromised (not likely, but they could); someone breaking in to a base station, base station controller or some other machine room hosting network elements. Such could also be done by operator's employees or contractors with suitable rights to suitable sytems (or ways to acquire such rights even if they shouldn't).

So, in other words, if you want security, trust no one, except yourself. The truly paranoid do not trust even themselves, because they might be drugged or hypnotized or something without realizing it.

That means, if you want to secure your messages, encrypt them before sending and decrypt on the receiving side. Use a public key encryption system (not a symmetric algorithm).

Note also that in-house encyption protocol implementations are likely to have flaws and should be reviewed and tested widely (best is to use public algorithms, but private keys).

There are already apps such as Fortress SMS, if they serve your needs:
http://my-symbian.com/s60/software/a...Auto=503&faq=2

[browndrf]

Thanks for quick response.

I'm not too paranoid, but I should to know what can go wrong.
At this point I don't think I would consider physical attacks and "hard-to-do" wireless tapping as my primary threats. What I would be concerned about is some other (may be none) common attacks.

I agree that PKI is the best way to go. But I am planning to support some old handset models where PKI does not come standard. I don't want to add any third party libraries with my client-side application.

I am not planning to encourage this backward compatibility, still, I need a non-PKI model for secure (reasonably secure) data xfer. SMS, being an OTA end-to-end delivery protocol, I thought it may be an option.

thanks