SMS E2E Encryption and

Tunneling for Smart Mobile

Devices
By Michael Kangethe
Bsc IT (JKUAT), Msc CS (UoN), CEH (Practical), PhD CS (UoN) (Ongoing)
 Questions
1. Have you ever communicated with someone you
know via SMS (sent or received) over the past 30
Days?
2. Have you ever had the feeling or suspicion that your
SMS messages are not private?
3. Do you use Whatsapp or the Signal app for the
privacy it provides?
4. Would you like the same level of privacy that
Whatsapp or Signal provide for SMS communication?
If you answered YES to at least TWO of the
Four Questions, this could be for you.
 #whoami

• Researcher (Cryptography and AI) - Published

• Technical and Cyber Security Consultant
• Software Developer
• Lecturer
• PhD Candidate CS UoN - Randomized
Cryptography
• Kenpo Practitioner - Shodan
 SMS

SMS stands for Short Message Service and is commonly

known as texting. It's a way to send text-only messages
of up to 160 characters between phones.
The MOST Ubiquitous form of messaging:
● Device independent
● Provider independent (Doesn’t depend on the Service
provider Airtel/Safaricom/Country)
● Doesn’t require internet connection - global reach
 SMS Security

Dependent on the GSM Service providers encryption implementation A5/1, A5/2, A5/3
,A5/4
Depending on the Country’S Agreement and export controls
Between mobile and base station controller (BSC, the network entity entity that
manages the radio resources). The radio link transports a couple of higher level
protocols, among them MAP which is used to transport SMS.
Encryption and security is not E-2-E, Just over the air from Device to BTS
Refer here :
https://payatu.com/dissecting-gsm-encryption-location-update-process#:~:text=GS
M%20makes%20use%20of%20a,a%20ciphering%20key%20(KC).
 Note

Cellular service providers retain records of the parties

to a text message and the date and time it was sent.
They do not, however, retain the content of text
messages for very long, if at all.
They can However turn retain and turn over your text if
requested through a court order.
Laws only change as technology advances.
Source:https://news.law.fordham.edu/jcfl/2016/06/02/cell-phone-forensics-powerful-tools-wielded-
by-federal-investigators/#:~:text=Cellular%20service%20providers%20retain%20records,very%20
long%2C%20if%20at%20all.
https://www.safaricom.co.ke/dataprivacystatement/
SMS Security
 Side Note

Any communication service provider who generates the

shared key, or a portion of it, FROM their CENTRAL SERVICE/
SERVER can decrypt your encrypted communication. It is NOT
encrypted with E-2-E.
 HELLO HELLO
RE2A

T4QX
Session Keys are generated by the BSC, Can be
used to decrypt SMS Data

Encrypt with Bob Session Kc Decrypt with Alice Session

Key Kc Key

HELLO HELLO

Current SMS Communication and Security

 SMS Privacy Issues

Since SMSes are not E-2-E Encrypted, s dependent on the Service Provider Only
Encrypted from the device to the BTS the below issues arise:

GSM Sniffing: Voice Decryption 101 - Software Defined Radio Series Source
-https://youtu.be/krJJKjYdwgc

Interception from in plaintext format From the service provider SS7 .

Communication network patterns analysis: Michael M Kangethe, Robert Oboko.

Associations Rankings Model for Cellular Surveillance Analysis. Journal of
Computer Sciences and Applications. Vol. 8, No. 2, 2020, pp 40-45.
http://pubs.sciepub.com/jcsa/8/2/1
 Encryption & Tunneling

Tunneling is a way to move packets from one network to another.

Tunneling works via encapsulation: wrapping a packet inside
another packet. Networking Basics. Network Layer.
Encryption is the process of transforming information in such a
way that an unauthorized third party cannot read it; a trusted
person can decrypt data and access it in its original form though.
SMS E-2-E Leverages on GSM Technologies and Encryption
Algorithms and solutions to enhance Security and Privacy in SMS
Communications
 HELLO HELLO

RE2A

T4QX

Session Keys are generated by the BSC, Can be

used to decrypt SMS Data

Encrypt with Bob Session Kc Decrypt with Alice Session

Key Kc Key

HELLO 2DTR 2DTR HELLO

E-2-E SMS Communication and Security
 WJ32rt
Step 2
HELLO HELLO

WIY6
Step 3: Decrypt
with SMS Gateway
Session Keys are generated by the Session Kc Key
BSC, Can be used to decrypt SMS Data

T4QXrt Step 1: Encrypt with Bob Step 4 PXQ1

Session Kc Key and containing
Routing Info rt
Decrypt with Alice
Session Kc Key

HELLO 2DTR 2DTR HELLO

E-2-E SMS and Tunneling Communication
and Security using SMS Gateway
 T4QX
HELLO HELLO

3rd Party SMS API

Session Keys are generated by the BSC,
Can be used to decrypt SMS Data

T4QX
Encrypt with Bob Session Ki Key
and containing Routing Info to
3rd party SMS API over the
internet Decrypt with Alice
Session Kc Key

HELLO 2DTR 2DTR HELLO

E-2-E SMS and Tunneling Communication
and Security using 3rd Party SMS API
 Alice Sends Bob Contact QR then Bob Scans Using APP

Bob Sends Alice Contact QR then Alice Scans Using APP

Here Bob and Alice can communicate using each others Public Key

Alice App Generates a Bob Decrypts SMS Using

Shared Private key and IV own Private Key then
for Alice&Bob and appends Alice sends the Encrypted Key Update as Updates Bob&Alice
the key to the Key Update an SMS to Bob Shared Private Key. Then
Text then Encrypts The Key generates a hash of the
Update using Bob’s Public Shared Private Key and
Key IV
Bob sends Hash of shared Key and IV to
Decrypts SMS using Alice
If Message from Alice is
own private key then
ACK then Update key
compares hash
Exchange Confirmation
received with hash of
else Do nothing and use
Shared Private Key and If Exchange Successful Alice will send ACK Alice Public key for
IV. if match Key else send new Key and IV to Bob Communication
Exchange successful

Contact Key exchange Protocol

 Privacy Options Security Matrix
(Option 1) (Option 2) (Option 3)
Encrypt and Send Directly Encrypt and Send Using Encrypt and Send Online
SMS Gateway using SMS APIs

SMS cannot be read by

any party other than the ✅ ✅ ✅
sender and receiver

Uses Public Key

Encryption ✅ ✅ ✅
Uses Shared Private Key
Encryption ✅ ❌ ❌
Sender and Receiver
Partially Obscured ❌ ✅ ❌
Sender and Receiver
Fully Obscured ❌ ❌ ✅
 Privacy Options -Explained

● (Option 1) - Encrypt and Send Directly

○ SMS cannot be read by any party other than the sender and receiver
○ Sender and receiver is known
○ Uses Both Public and Shared Private Key Encryption
● (Option 2) - Encrypt and Send Using SMS Gateway
● SMS cannot be read by any other party other than the sender and
receiver
● Sender and receiver can only be known by use of Advanced Querying
and Data Mining techniques
● Uses Both Public Key Encryption
● (Option 3) - Encrypt and Send Online using SMS APIs
● SMS cannot be read by any other party other than the sender and
receiver
● Sender and receiver can Not be known even by use of Advanced
Querying and Data Mining techniques
● Uses Both Public Key Encryption
 Target Users

Anyone who needs an extra layer of

privacy in their SMS Communications
● Companies (With Sensitive
Communications)
● Basically if you use whatsapp or
Signal you are a target user
DEMO
 Observed Issues for Further Research
Message Limitation and dependency on Key Size,

● This is only dependent on Public Key Communication and not a problem in

Shared Private Key communication
● For Public Key Communication it uses Multiple messages due to the 256
bit Key size

Latency due to Tunneling and Proxying SMS.

● The time it takes for an SMS to arrive at the clients device is purely
dependent to the SMS Gateway/API speed and Uptime.
● However negligible for Most Services
 Available Devices Going Forward

Development for I0S

The Current POC
Devices has started
has been tested to
with a focus on the
work on ALL
Kotlin Version
Android Devices
Collaborations
from Version 5 and
Welcome
above
Q&A
 Thank you!

@MichK_01

github.com/mich01

linkedin.com/in/mkangethe
SpiderSMS
Demo APK Source Code: https://github.com/mich01/SpiderSMS