Embedding High Capacity Covert Channels in Short Message Service (SMS)

  • M. Zubair Rafique
  • Muhammad Khurram Khan
  • Khaled Alghatbar
  • Muddassar Farooq
Part of the Communications in Computer and Information Science book series (CCIS, volume 186)


Covert Channels constitute an important security threat because they are used to ex-filtrate sensitive information, to disseminate malicious code, and, more alarmingly, to transfer instructions to a criminal (or terrorist). This work presents zero day vulnerabilities and weak-nesses, that we discovered, in the Short Message Service (SMS) protocol, that allow the embedding of high capacity covert channels. We show that an intruder, by exploiting these SMS vulnerabilities, can bypass the existing security infrastructure (including firewalls, intrusion detection systems, content filters) of a sensitive organization and the primitive content filtering software at an SMS Center (SMSC). We found that the SMS itself, along with its value added services (like picture SMS, ring tone SMS), appears to be much more susceptible to security vulnerabilities than other services in IP-based networks. To demonstrate the effectiveness of covert channels in SMS, we have used our tool GeheimSMS that practically embeds data bytes (not only secret, but also hidden) by composing the SMS in Protocol Description Unit (PDU) mode and transmitting it from a mobile device using a serial or Bluetooth link. The contents of the overt (benign) message are not corrupted; hence the secret communication remains unsuspicious during the transmission and reception of SMS. Our experiments on active cellular networks show that 1 KB of a secret message can be transmitted in less than 3 minutes by sending 26 SMS without raising an alarm over suspicious activity.


Short Message Service (SMS) SMS Covert Channels SMS PDU 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    National Computer Security Center, US DoD: Trusted computer system evaluation criteria. Technical Report, DOD 5200.28-STD (December 1985)Google Scholar
  2. 2.
    Ahsan, K., Kundur, D.: Practical data hiding in TCP/IP. In: Proc. of the 9th Workshop on Multimedia & Security, pp. 25–34. ACM, Texas (2002)Google Scholar
  3. 3.
    Rowland, C.: Covert channels in the TCP/IP protocol suite. First Monday 2(5-5) (1997)Google Scholar
  4. 4.
    Giffin, J., Greenstadt, R., Litwack, P., Tibbetts, R.: Covert messaging through TCP. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 194–208. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Murdoch, S., Lewis, S.: Embedding covert channels into TCP/IP. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 247–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Fisk, G., et al.: Eliminating steganography in internet traffic with active wardens. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 18–35. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Bauer, M.: New covert channels in http: adding unwitting web browsers to anonymity sets. In: Proc. of the 2003 ACM Workshop on Privacy in the Electronic Society, pp. 72–78. ACM, NY (2003)Google Scholar
  8. 8.
    Mazurczyk, W., Kotulski, Z.: New VoIP traffic security scheme with digital watermarking. Computer Safety, Reliability, and Security, 170–181 (2006)Google Scholar
  9. 9.
    Lucena, N., Pease, J., Yadollahpour, P., Chapin, S.: Syntax and semantics-preserving application-layer protocol steganography. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 164–179. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Zou, X., Li, Q., Sun, S., Niu, X.: The Research on Information Hiding Based on Command Sequence of FTP Protocol. In: Khosla, R., Howlett, R.J., Jain, L.C. (eds.) KES 2005. LNCS (LNAI), vol. 3683, pp. 1079–1085. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Lampson, B.: A note on the confinement problem. Communications of the ACM 16(10), 613–615 (1973)CrossRefGoogle Scholar
  12. 12.
    Portio-Research: Mobile Messaging Future (2010-2014),
  13. 13.
    GSM-ETSI: 03.40. Technical realization of the Short Message Service (SMS) (1998),
  14. 14.
    Simmons, G.J.: The prisoners problem and the subliminal channel. In: Proc. of Advances in Cryptology (CRYPTO), pp. 51–67 (1984)Google Scholar
  15. 15.
    Le Bodic, G.: Mobile Messaging technologies and services: SMS, EMS and MMS. John Wiley Sons Inc., Chichester (2005)CrossRefGoogle Scholar
  16. 16.
    The Trusted System Evaluation Criteria. Fred Cohen Associates,

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • M. Zubair Rafique
    • 1
  • Muhammad Khurram Khan
    • 1
  • Khaled Alghatbar
    • 1
  • Muddassar Farooq
    • 2
  1. 1.Center of Excellence in Information AssuranceKing Saud UniversityRiyadhSaudi Arabia
  2. 2.Next Generation Intelligent Networks Research CenternexGIN RC, NUCES, FASTIslamabadPakistan

Personalised recommendations