Transferring two-factor authentication SMS

Transferring two-factor authentication SMS

More and more sites require two-factor authentication via SMS. From a security standpoint, it's very good, but it can become bothersome if the login is shared by several people. This week, we are going to see how to receive an authentication SMS and to transfer it to several people.






In theory, a login is personal and shouldn't be shared. The aim of double authentication is precisely to ensure that only the registered person can log in. But in some cases, such as inside a family, several people use the same login. In this case, double authentication can raise issues. At each login, one must ensure that the person whose phone number is registered in present (or at least his/her phone). If it's not the case, you must call the person so that s/he transfers the code to the person in front of the computer.

To avoid these small annoyances, we created a system which receives the SMS and transfers them to several other phone numbers.

The SMS are transferred to several numbers
The SMS are transferred to several numbers



This system uses a YoctoHub-GSM-4G with the SIM card of the phone number which is registered on the web sites. The cellular data of the YoctoHub-GSM are disabled and the module is only used to send and receive SMS. The YoctoHub is connected by USB to a computer which runs a Python script.

the YoctoHub-GSM
the YoctoHub-GSM



During the login process, the web site sends an SMS with the authentication code to the YoctoHub-GSM-4G number. When the YoctoHub receives the SMS, the script looks for the numbers registered for this web site and dispatches the authentication code.

The application


Note: the application is written in Python because it's an easy and portable language. If you have never used our Python programming library, we have a tutorial explaining how to start with our Python library.

A you can see below, the code is simple. The Python script reads the SMS present on the SIM card. Depending on the phone number of the sender, it sends the SMS again to one or several phone numbers. When the SMS has been sent to all the programmed numbers, it is deleted from the SIM card.

The Python script starts by initializing the Yoctopuce library so that it uses the modules connected on the USB ports of the computer. Then it check the presence of a module supporting YMessageBox.

errmsg = YRefParam()
if YAPI.RegisterHub("usb", errmsg) != YAPI.SUCCESS:
    sys.exit("Unable use USB port %s" % (errmsg.value))
mbox = YMessageBox.FirstMessageBox()
if mbox is None:
    sys.exit("No device that supports YMessageBox")



The remainder of the script is an endless loop which retrieves the SMS present on the SIM card with the get_messages() method. When an SMS is present, the list of the phone numbers which must receive a copy of this SMS is retrieved from the config file.

messages = mbox.get_messages()
for msg in messages:
  sender = msg.get_sender()
  self.log("New SMS from %s:" % sender)
  self.log("   %s" % msg.get_textData())
  unicodeData = msg.get_unicodeData()
  for rule in self._rules:
    if rule.match(sender):
      targets = rule.getTargets()
      ...



For each recipient, we create a new SMS with the content of the initial message and we put it in the send box with the send() method:

...
targets = rule.getTargets()
for dst_num in targets:
    self.log("forward it to %s" % (dst_num))
    sms = mbox.newMessage(dst_num)
    sms.addUnicodeData(unicodeData)
    sms.send()
...


Then we only need to erase the initial SMS from the SIM card.

  ...
  msg.deleteFromSIM()
  ..



In the end, the main loop of the application is as follows:

errmsg = YRefParam()
if YAPI.RegisterHub("usb", errmsg) != YAPI.SUCCESS:
  sys.exit("Unable use USB port %s" % (errmsg.value))
mbox = YMessageBox.FirstMessageBox()
if mbox is None:
  sys.exit("No device that supports YMessageBox")
while True:
  messages = mbox.get_messages()
  for msg in messages:
    sender = msg.get_sender()
    self.log("New SMS from %s:" % (sender))
    self.log("   %s" % (msg.get_textData()))
    unicodeData = msg.get_unicodeData()
    for rule in self._rules:
      if rule.match(sender):
        targets = rule.getTargets()
        for dst_num in targets:
          self.log("forward it to %s" % (dst_num))
          sms = mbox.newMessage(dst_num)
          sms.addUnicodeData(unicodeData)
          sms.send()
          YAPI.Sleep(2000)
      self.log("clear message from %s" % (sender))
    msg.deleteFromSIM()
  YAPI.Sleep(2000)



Note that this application doesn't need to be very reactive, because the YoctoHub-GSM-4G is autonomous. Indeed, as a traditional GSM phone, the YoctoHub automatically manages the SMS transmission between the service provider and the SIM card. The Python script only needs to consult and erase the SMS which are stored on the SIM card. We don't need to manage GSM communications. If the application crashes or is not running for a while, SMS are still received by the YoctoHub and stored on the SIM card. The next time the script starts, it will transfer all the messages received in the meantime.

The complete code of the application is available on GitHub: https://github.com/yoctopuce-examples/sms_fwd

Conclusion

We decided to transfer the authentication SMS to other people via SMS, but we could have chosen to transfer the content of the SMS by email, or by other means. You are free to adapt the code to your own needs.

In closing, this small system is very convenient to share a login requiring double factor authentication by SMS, but it can also be a source of security breach if the machine running the Python script is corrupted. If you decide to use such a system, it might be a good idea to disconnect the computer from the network. In this way, if a hacker succeeds in infiltrating your local network, that person won't access the computer and therefore the SMS.

Add a comment No comment yet Back to blog












Yoctopuce, get your stuff connected.