Let's Build a Responsible Cyber Society

The Problem of SMS/Phone spoofing

Just like the Swedish Security professional Dan Egerstad had exposed the security weaknesses in the e-mail communication system in Indian embassies, an Internet user in Ahmedabad by name Mr Pathanjali Vyas created a sensation by publicizing the existence of websites which allow telephone calls and SMS to be put through with any telephone number to be input as the sender's telephone number. He demonstrated the possibility by sending a spoofed SMS by sending an SMS  in the name of Mr Sharukh Khan, a celebrity film actor to somebody inviting them for a party. The news was picked up by a TV Channel Headlines Today which carried an extensive discussion on its English and Hindi (Aaj Tak) channels today (October 4, 2007). Naavi also participated in the discussions.

During the discussions, it was also demonstrated on air how a call could be put through in the name of the Home Minister of the Government of India to another Minister who was on air,  bringing to focus the dangers inherent on such spoofed calls.

The expert discussions were centered around two aspects namely,

1. Are there laws in India  under which the spoofed SMS/VOIP calls are considered an offence

2.Are there any technology safeguards.

There were differing opinions expressed on these subjects. While one set of legal and technology experts held the pessimistic view that the IPC as well as ITA 2000 do not recognize the spoofing as an offence and that there is no technical remedy, Naavi held the contrarian view that the offense is recognized both under IPC and ITA 2000.

Naavi expressed the view that under IPC this would be an "Impersonation" at the sender's end and could be harassment/cheating etc at the receiver's end. Under ITA 2000 this would be an offence under Section 66. He urged the Cyber Crime Police Stations to take up for investigations some test cases and establish the enforceability of law as deterrence for proliferation of such crimes in future.

Naavi also stated that while no technical remedies are easily available for implementation by the user, the Mobile Service Providers (MSP) can and must implement security measures commensurate with the "Due Diligence" requirements. Naavi also briefly mentioned the technical solutions that could be implemented and offered to assist the MSPs if they are interested.

With the huge awareness created by this expose on the availability of free websites where people could send spoofed calls and SMS, India is now in for a spurt of such offences and unless the Police and MSPs gear up with a counter plan, honest telephone users are in for a period of harrowing time. Police should also ensure that before taking penal action based on the mobile call/SMS evidence, they would eliminate the possibility that the evidence represents spoofed version. Where genuine evidence from mobile calls and SMS are to be presented, Police will also have to take appropriate precautions to get the evidence established through appropriate certifications.

Naavi

October 4, 2007

Home