Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Investigating Threats Posed by SMS Origin Spoofing to IoT Devices

Akaki Tsunoda

TL;DR

This paper investigates the security risks of SMS origin spoofing for IoT devices that rely on the originating number for remote-management authentication. It combines a fact-finding survey of 32 cellular IoT gateways with a practical verification on a Teltonika RUT241 using SMPP spoofing to test authentication bypass. The results show that 25 gateways support SMS-based remote management and 20 employ origin-number authentication, with at least one product demonstrably bypassable via spoofed origin messages. The findings highlight the need for non-origin-based authentication methods (e.g., challenge-response or MD5-digest schemes in OMA DM) to mitigate threats and protect machine-to-machine communication in IoT deployments.

Abstract

The short message service (SMS) is a service for exchanging texts via mobile networks that has been developed not only as a means of text communication between subscribers but also as a means to remotely manage Internet of Things (IoT) devices. However, the originating number of an SMS can be spoofed. If IoT devices authenticate administrators based on the originating number of an SMS, the authentication is bypassed via SMS origin spoofing. Consequently, IoT devices are at risk of accepting commands from attackers and performing unauthorized actions. Accordingly, in this study, the specifications of major cellular IoT gateways were evaluated by focusing on remote management via SMS, and the authentication bypass hypothesis was verified. The results showed that 25 of the 32 targeted products supported SMS-based remote management, and 20 implemented authentication based on the originating number of the SMS. Furthermore, by spoofing the originating number of the SMS, one product was demonstrated to be remotely exploitable through authentication bypassing. Thus, this study revealed the threats posed by SMS origin spoofing to IoT devices and proved that SMS origin spoofing not only threatens text communication between people but also puts machine communication at risk.

Investigating Threats Posed by SMS Origin Spoofing to IoT Devices

TL;DR

This paper investigates the security risks of SMS origin spoofing for IoT devices that rely on the originating number for remote-management authentication. It combines a fact-finding survey of 32 cellular IoT gateways with a practical verification on a Teltonika RUT241 using SMPP spoofing to test authentication bypass. The results show that 25 gateways support SMS-based remote management and 20 employ origin-number authentication, with at least one product demonstrably bypassable via spoofed origin messages. The findings highlight the need for non-origin-based authentication methods (e.g., challenge-response or MD5-digest schemes in OMA DM) to mitigate threats and protect machine-to-machine communication in IoT deployments.

Abstract

The short message service (SMS) is a service for exchanging texts via mobile networks that has been developed not only as a means of text communication between subscribers but also as a means to remotely manage Internet of Things (IoT) devices. However, the originating number of an SMS can be spoofed. If IoT devices authenticate administrators based on the originating number of an SMS, the authentication is bypassed via SMS origin spoofing. Consequently, IoT devices are at risk of accepting commands from attackers and performing unauthorized actions. Accordingly, in this study, the specifications of major cellular IoT gateways were evaluated by focusing on remote management via SMS, and the authentication bypass hypothesis was verified. The results showed that 25 of the 32 targeted products supported SMS-based remote management, and 20 implemented authentication based on the originating number of the SMS. Furthermore, by spoofing the originating number of the SMS, one product was demonstrated to be remotely exploitable through authentication bypassing. Thus, this study revealed the threats posed by SMS origin spoofing to IoT devices and proved that SMS origin spoofing not only threatens text communication between people but also puts machine communication at risk.
Paper Structure (16 sections, 4 figures, 1 table)

This paper contains 16 sections, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background
  3. Remote Management Using SMS
  4. Threat Model
  5. Methods
  6. Fact-Finding Survey of Originating Number-Based Authentication
  7. Verification of Authentication Bypass via SMS Origin Spoofing
  8. Results
  9. Originating Number-Based Authentication
  10. Authentication Bypass Demonstration
  11. Discussion
  12. Threat Scenario
  13. Mitigation Measures
  14. Limitations
  15. Ethical Considerations
  16. ...and 1 more sections

Figures (4)

  • Figure 1: All devices used in the validation process.
  • Figure 2: Overall verification process of authentication bypass via SMS origin spoofing. (1) Registering the administrator’s phone number in the authentication settings; (2) sending a fake SMS command using SMPP; (3) confirming whether originating number-based authentication is bypassed.
  • Figure 3: RUT241 logs in response to a legitimate and a fake SMS command.
  • Figure 4: Threat scenario that exploits the SMS command to disable IP blocking.