http://www.eweek.com/article2/0,1895,1931904,00.asp
By Paul F. Roberts February 27, 2006 Have you ever hit "Send" on a text message on your mobile phone before addressing it? Ever wondered where all those lost SMS text messages go? If so, you might want to speak with Stan Bubrouski, whose cell phone has been channeling wayward text messages from across the country for years. Bubrouski, a computer science major at Northeastern University in Boston, is the proud owner of '[EMAIL PROTECTED],' an account on the popular Verizon text messaging service that allows Internet users to send e-mail and IM messages directly to his cell phone as SMS text messages. Bubrouski said he was just being clever when he signed up for a Verizon vText account with the user name 'null,' after his parents bought him his first mobile phone during his freshman year at Northeastern, in 2001. "I've been paying for it ever since," Bubrouski told eWEEK. Bubrouski's new vText account didn't just hook him up with his friends, it also opened the door to a blizzard of unsolicited messages from individuals and companies that, for the last five years, have unwittingly forwarded reams of data to his phone. That data has become more sensitive in recent months, as companies rush to deliver everything from SAT test scores to medical information and automobile diagnostics to cell phones and PDAs. Bubrouski's experience, while unusual, could be a sign of growing pains in the wireless industry, as companies rush to provide wireless data services, overlooking steps that could secure the data in transit, according to one security expert. Bubrouski, who is finishing his senior year at Northeastern, noticed something strange about his vText account almost immediately after activating it in 2001. "I started getting phantom text messages with no callback number and an empty 'From:' field," Bubrouski wrote. Initially, the content of the messages was innocuous, he said. "It was things like 'don't forget to drop the car off at baker's' and to 'call mom at 781-XXX-XXXX', stuff like that," Bubrouski wrote. The problem worsened in mid-2002, when Bubrouski's phone began channeling what he claims were dozens of messages from an e-mail address used by General Motors' then-new "OnStar" system. The messages quickly filled up the memory on his cell phone and contained diagnostic response to tests on a beta version of OnStar. "Basically, peoples' cars were sending messages to my phone," Bubrouski wrote. Bubrouski contacted GM and was able to reach someone familiar with the OnStar tests, and get them to stop the messages after about a week. "I was happy again - for about two weeks," he wrote. Next, Bubrouski's phone started receiving SMS sports scores and news from ESPN, the sports cable network, which had struck up a partnership with Verizon. Bubrouski's phone was still getting dozens of messages from the service, but because the service wasn't public yet, he couldn't find anyone at Verizon or ESPN who had heard of it and could help him with his problem. Bubrouski said he deleted the messages from his phone. He was unable to provide proof of the OnStar or ESPN messages to eWEEK. In a pattern that would repeat itself in the years to come, Bubrouski simply blocked the ESPN e-mail address using a blocking list at vtext.com and waited for the next stream of messages to hit his phone. Over time, Bubrouski accumulated a block list of around 15 "offenders"—individuals and companies who were sending him large volumes of unsolicited information. Bubrouski theorizes that his choice of user name is the culprit in the data leaks. In the world of software design, "Null" is commonly used to represent "no value" or "0." Developers of mobile services use the "Null" address during testing routines, assuming that the messages won't be sent to anyone. Verizon may also be substituting "Null" for an invalid or missing "To" address in messages sent over Vtext, he said. Misplaced "Call Mom" messages aren't likely to harm anyone, but by late 2004, the unsolicited SMS problem exploded, and took on a darker nature, as mobile data services started popping up all over to take advantage of a new generation of feature-rich mobile phones, Bubrouski said. "I was getting people's grades, order information from unknown retailers, personal messages with people's credit card numbers [and] social security numbers," he wrote. Most of the messages were sent by individuals, but many arrived in volume from companies like eMbience Inc. of San Diego, Calif., which unwittingly sent reams of MapQuest Traffic data to Bubrouski's phone. An eMbience spokeswoman said that Bubrouski's vText account was the same as an account used by engineers for internal testing. Once eMbience was informed, in November, that MapQuest test messages were going to Bubrouski's phone, they changed the address used in testing for the company's services. Another company involved was Vocel Inc., also of San Diego, which develops mobile data services for companies including The Princeton Review and Random House. The company's Princeton Review service helps students study for a variety of standardized tests using their cell phone, including the SAT, GRE and LSAT, according to Tyler Jensen, vice president of operations at Vocel. A new Vocel service that is in testing called "Pill Phone" sends medication reminders to individuals' cell phones, he said. Messages from both the Princeton Review Service and Pill Phone were accidentally sent to Bubrouski's phone because of a flaw in a sharing feature in the service that allows test results completed on the phone to automatically be forwarded in SMS or e-mail format to a third party such as a parent or tutor, he said. Messages without a "To" address were not delivered by the service. However, because of a programming flaw in the client server software, messages with an invalid address, such as a blank space, were translated as "Null," and wound up on Bubrouski's phone, Jensen said. "The fault was entirely ours," he said. Vocel was informed of the problem by Bubrouski on Feb. 8 and had the problem fixed by Feb. 10. Verizon Wireless sues another spammer. Click here to read more. While the Princeton Review messages that Bubrouski received were from a service that is in production, the Pill Phone messages were merely test data generated by Vocel engineers, not actual reminders, he said. For example, text messages from [EMAIL PROTECTED] told Bubrouski that "A student at 4105704297 has just completed Princeton Review Word Set 1 with a score of 71%." A message from [EMAIL PROTECTED] informed him that "A user at 7325894169 has not responded to his/her 01:45 PM dose of Pronestyl-SR," according to examples of data provided to eWEEK. Vocel does not channel sensitive data from third-party servers. All the data that is circulated, such as test scores and medication information—is entered by the cell phone user, or generated on his or her phone, Jensen said. Still, Vocel is taking the incident seriously. "This was a wake-up call for us from the standpoint of ensuring that back-end systems are doing verification and checking," he said. Jensen was loath to criticize Verizon, which provides SMTP gateways that route data sent from cell phone users and providers like Vocel to its customers. However, others said that Bubrouski's experience may be a sign of larger problems with the way that providers like Verizon are running their text messaging networks. SMS users, like e-mail users, rely on the fact that carriers like Verizon won't accidentally deliver improperly formatted messages, such as those with no addressee, to an unrelated address, said John Pescatore, a vice president at Gartner. "There's no way that this should be happening. No e-mail system would ever do that," he said. Verizon should be rejecting messages with improperly formatted addressee information, not forwarding it to an account, he said. Bubrouski agrees. "I'd have to say Verizon is at fault. Sure, service providers make mistakes, but Verizon shouldn't be accepting messages from no one to no one," he said. Verizon declined to comment in detail on Bubrouski's case. However, Verizon wireless spokesman Jeffrey Nelson thanked eWEEK for bringing the 'Null' account issue to the company's attention, and said Verizon is looking into the issue. The problems that Bubrouski experienced may be particular to Verizon's network. However, security is a larger problem in text messaging and e-mail, where trust is assumed between senders and receivers of message data, said Brian Berger, a vice president of marketing at Wave Systems Inc. and marketing chair at the TCG (Trusted Computer Group). TCG is developing specifications for hardware building blocks, including the TPM (Trusted Platform Module) chip that can secure transactions from mobile devices. Companies like Nokia, Motorola, ARM, Vodaphone, Wave Systems, as well as Intel and IBM are participating in the process, and specifications are expected this Summer, Berger said. As mobile devices become more powerful and are used to log into secure networks, and conduct high value transactions, users will need to have a way to authenticate themselves, manage passwords and prove their identity using mobile phones, he said. While Verizon works on the problem, Bubrouski said he's grown accustomed to his plight as a shepherd for lost text messages. "I've received thousands of text messages over the past five years," he wrote. "Probably only about 200 or so were actually meant for or even sent to me directly." Getting rid of his vText account would stop the stream of unwanted SMS message problem, but Bubrouski said he enjoys reading the messages he receives, and blocks companies and individuals when the volume of SMS they're sending him gets too high. "I've kind of gotten used to it," he wrote. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
