Published
- 6 min read
VOIP, Virtual SIM, SMS & Online-Caller
Time for another round of OpSec fun. Oh, we’ve already gotten ahead of ourselfs, and there’s no real VOIP stuff in here. Again. OMG.
SMS
Services (send & receive)
- https://www.viotp.com/en/
- https://octopush.com/ (mass SMS)
- AWS SNS
- Twilio
- Nexmo
- https://sms-man.com/
- https://sms-act.net/en/
VOIP, Virtual SIM & Online-Caller
Many services are mixed (call and SMS), some are VOIP, some are more like a virtual SIM. Often they don’t exist long and change their appearance and offering during their lifetime. We wouldn’t recommend to buy lots of credits on these. We list them regardles only in one of both categories (call or SMS).
- https://www.blacktel.io/ (only email verification, *coin payment)
- https://onlinesim.io/ (seems mostly dead, registered service untested)
- https://www.mintmobile.com/ (requires USA phone activation)
- https://alosim.com/ (mostly eSIM intended for cheap roaming)
- https://anonsimcard.com/ (plenty of other services under similar naming scheme)
Having scratched only the surface at that point, we suddenly wondered:
Can we trust this stuff? - Like, at all? Or rather, at least a tiny bit?
Leasing a SIM on a garage sale
Note: The following article has not been made to discredit any particular service, it’s just something we came to realize.
What started as list-research turned into a little blog article - when you want to use these services, you may want to read the following, or at least the bottom line.
This ain’t your number
Some of these services make it more than clear, that you lose your number when you stop paying. Pronouncing lose - not remove or delete. Meaning, you can more or less count on the fact, that the phone number will be re-used and so all accounts you verified using the number technically change owner automatically. It’s very likely that the provider itself may try to get access to accounts that were previously yours (depending on value), to use them for their own purposes, as trash, spam, resale or even illegitimate purposes. And if they don’t, the next owner might try - or maybe we do*?
(*Entering a phone number on the recovery options of a few of the major services like Gmail, Outlook etc. sounds like a “Pentest level extremly easy”. While thinking about it, we’d be even more worried, what kind of accounts we accidently inherited)
This ain’t 10minutemail
This is not like 10minutemail, even though they try to make it appear like that. Sure, you don’t know what happens after 10 minutes at 10minutemail. But email and the intended usecase of 10minutemail makes misuse through the provider or potential new owner of your trash-email-address less attractive compared to SIM, 10minutemails are usually true random and not reused while virtual SIMs are the opposite. Finally you can easily verify that an email address has been deleted by sending an email and reading the server response. You cannot do that with a SIM / cellphone number.
This ain’t for RedTeaming
We would be very careful when and where we’d use such services, a Pentester may not consider this, but you hand out company access (you forgot those Mimikatz Creds and Domain Admin?) to a third party once your Redteam Ops is over, when you used such a number.
That’s probably the entire reason, why we wrote all these words. A tweet would’ve sufficed, we’re aware. But more than giving technical tips, we write to communicate. Yes, this is love. Our love, for you. No, nobody else wants to have it, so… go ahead, take it. Come back whenever you need more.
This ain’t no trap, maybe
None of that is even worst case, that such a service may be operated entirely by an adversary, foreign intelligence service, LE or APT. Sure that could always be the case, but past activity shows the high probability of this particular scenario, as this product is easy to supply yet is a high value target. You could essentially operate a few SIMs manually and sell / lend them online to someone else, you could just as easily scale with only a handful of call-center agents and practically no complex parts or infrastructure.
Off-the-shelf mass-SIM-to-webservice devices existed for a long time, often they’re leftover pieces from other “business models”. One man’s trash…
You might be completely alone - or rather not
When we discover services like these, we automatically consider that we would disappear in the white noise of 10 Million other customers, that the service is entirely automated and has high security, confidentiality, integrity. However the web presence, business model and other factors scream the opposite:
You’re leasing a SIM on a garage sale, overpriced.
We’ve been opperating websites and -services for a very long time. That leaves you with more than an impression on how much traffic a website has. We can’t look under the hood of any particular service (ok, we could of course Alexa WebMaster Console the crap out of… nevermind, Alexa is as dead as the horses we’re beating), we haven’t done any research, who runs them, what their intentions are. But this also isn’t the point. Understanding, that service like “Amazon Prime Video” are on the edge of existence 3 times a quarter, due to lack of paying customers, adds to the feeling of insecurity about these smaller, yet integral and sensitive services.
This ain’t encrypted
Just for a moment, as mental excercise consider yourself the only customer of such a service and all preying eyes on your activity. SMS and calls have practically zero encryption you could enforce or trust.
All this fully patched & pentested, unbreakable wire-guarded, transport-layer secured and zero-trusted stuff has made us lazy: Not too long ago, secure meant, it must work, when observed, when attacked, when someone tries to actively break it.
That is - maybe for us as much as for you and the providers - very sad. We’d give an arm and a leg for secure, reliable and anonymous access to the Grid, if we had left arms and… legs.
This ain’t recommended
TL;DR: Useful, needed, but not secure at all. High Risk - Compromises your own security!