Do We Need Safer (Encrypted) SMS?
Today no one doubts the usefulness of data encryption. It’s a fact: IP traffic and stored data must be encrypted using more and more powerful tools. Data can also be encrypted on mobile devices like PDAs. But what about SMS?
Tapping of mobile communications is not easy for the common of us. But can we assume that they are “safe”? Clearly no! A French guy had a bad story last month due to a SMS sent by a friend (read the story here (Translation in English). The SMS said “Do you know how to crash a train?“.
The SMS was stored a temporary device and, once given back to the mobile operator, the SMS was discovered and notified to the French police. The French guy was arrested during 24 hours and accused of “non-reporting a crime”. This is a strange case because, like e-mail communications, operators are not allowed to read customers messages, except upon request of the relevant authorities!
Let’s keep the legal aspect away and focus on the SMS security. Of course, we do not send SMS for terrorism activities but sometimes sensitive information are sent via SMS: PIN codes, passwords, … What about SMS encryption? Since this story, some French people started a Google group called “FREE-SMS“. Their project is to develop an application running on modern mobile phones to send/receive SMS in a safe way (read “encrypted”).
But what’s available now to protect your SMS? The CryptoPhone is a mobile phone using strong encryption for communication. It’s an hardware solution but the source code is available for security reviews. They’re several technical constraints to implement a solution on existing phones:
- Choice of supported OS/models: iPhone? Java? Android?
- How to exchange and manage keys?
- How to not explode the SMS traffic: One encrypted SMS can be much longer than a clear one (and increase costs)
Finally, when you use a temporary phone or sell one on eBay, be sure to clean up all the data from all supports (internal memory, memory cards) and don’t forget your SIMM card f you give it back to your local operator!
Hi,
excellent article! finally some people think about it. A SMS is like a postcard. We use for example Aloaha SecureSMS for our secure SMS communiction.
Michael
Hi Xavier,
I had given this a bit of thought a couple of years ago.
Back then, I was contemplating developing an app for Symbian, and utilising MMS as a transport for the encrypted messages. I figured that you could encode more data into an MMS ‘picture’ than a 160 character SMS.
I was also planning to store public and private keys as MMS ‘pictures’ on the phone. This would provide a reasonably easy, though somewhat manual, way to exchange keys.
Now, with iPhone and Android you probably wouldn’t need to resort to this type of hackery.
Regards,
Dave Taylor