Nowadays, messages exchanged between cell phones are rarely text messages (Short Message Service, or SMS), as smartphones favor the use of more flexible and secure messaging services. Nevertheless, SMS remains an attractive option as a network-independent validation method, particularly for automated systems. That is why we have recently improved the SMS sending and receiving functionality on the YoctoHub-GSM-4G.
SMS transport security
Before getting into the heart of the matter, let's clarify the real and imagined security risks associated with using SMS. Sending one-time passwords (OTPs) via SMS can pose a security risk in some specific cases, but these can easily be avoided:
- With older versions of Android (up to 2015), all applications could receive SMS messages without special authorization. A malicious application could therefore intercept a one-time password intended for an Android user. This is therefore not a problem that concerns us.
- On a 2G GSM network, it is relatively easy - albeit illegal - to introduce a fake GSM communication antenna (aka Stingray) into the network and thus intercept SMS messages that pass through it in clear text. However, if the GSM modem is configured to work only in LTE mode, without accepting to downgrade to 2G, this type of attack is much more difficult to carry out and requires complex and very expensive resources (attacks on the operator, clandestine services).
Furthermore, the attacks described on SMS transmissions always assume that the data is transmitted in clear text. In the context of an authorization transmission to an automatic system, the basic approach is to encrypt and authenticate the authorization code (e.g., using AES), including a timestamp and a nonce, in the same way as one would do on an IP network, before encoding the message in base64 so that it can be transmitted as text. If this precaution is taken, confidentiality is not significantly worse than on a Wi-Fi network, but there is the advantage of a means of transport that is independent of the IP network, which is much better than other commonly used methods, such as sending OTP codes by email to the same email address used to change passwords.
It is therefore entirely appropriate to use SMS with a 4G GSM modem where 2G communication is disabled as an additional transmission channel for exchanging encrypted authorization tokens.
Improved SMS functionality of the YoctoHub-GSM-4G
Since its launch, the YoctoHub-GSM-4G has been able to send and receive SMS messages using our API, which is available in many programming languages, and in particular the YMessageBox class.
This week, we have improved this API to handle two specific cases.
- Sending errors
- We recently realized that when there was a problem sending an SMS (for example, insufficient credit on the SIM card), the error was not reported to the application as an exception or error code. This has now been fixed. To benefit from this improvement, you need to update the module's firmware to version 72331 (or later) and use an up-to-date version of the programming library (version 2.1.12412 or later).
- Receipt by callback
- To facilitate responsive management of incoming messages, we have added a registerSmsCallback() method that allows you to receive a callback for each new message received. This means that you no longer need to code yourself a periodic verification of messages received.
