[apienx]

SMS specifications include "Type 0" messages, also known as Silent SMS. These messages don't trigger any even on the phone when received, but they do send back an ACK that includes IMSI metadata. Silent SM, are literally defined in the RFC and primarily used to covertly track user locations without judicial oversight.

GSM, SS7, etc. are massive privacy holes _by design_.

[ian0]

Silent SMS is an incredibly convoluted and impractical way of trying to figure out someones location.

The whole purpose of mobile networks is to track a devices location (so you can route data to/from it!). Of course its easy to do it if your the operator or someone who has compromised it.

[WirelessGigabit]

I remember using one of those dongles with a SIM card that you could talk to with an API and use that to send flash SMS. Full screen warnings to friends. Only option was 'OK' and the text was gone afterwards.

[ale42]

My old Nokia C2-01 allows sending them from the menu ;-)

[ParanoidShroom]

They are primarily used for configuring your visual voicemail lol. Stop the hyperbolic statements.

[skyyler]

https://www.heise.de/news/Zoll-BKA-und-Verfassungsschutz-ver...

Not sure where you get your information, but these are routinely used by police to covertly track targets.

[lmz]

Just because they are routinely used for such does not mean it is their primary purpose.

[fsckboy]

when we know that govts want this capability, when we know that govt regulators are in the same room with telcos when plans are being drawn up, when we know govt uses these capabilities routinely, why would you doubt it was there for that purpose? isn't this a good time to round up the usual suspects? If the govt intervenes to get this capability and also declares that this should not be the primary purpose, I guess that would make it a secondary purpose? OK, I feel better now, phew!

[skyyler]

You’re kind of splitting hairs there, aren’t ya?

[lmz]

No. The Internet is routinely used for porn but it is not its primary purpose.

[skyyler]

There’s even a song about how the internet is for porn

[walterbell]

Can they be disabled/blocked on the device, when not needed because the user has disabled "visual voicemail" with their carrier?

[squigz]

Could you elaborate on this? What is a 'visual voicemail'? What would a 'silent SMS' have to do with that?

[chenxiaolong]

Visual voicemail is when the dialer app on your phone can show the list of voicemails similar to how you would see your email inbox. You can directly play the voicemail messages and depending on the device/carrier, there might also be a text transcription of the audio.

Many carriers implement this via "silent SMS" + IMAP (the same IMAP as for emails). The device will send an activation or status message to the carrier's visual voicemail number and the carrier will respond with an SMS containing the IMAP credentials.

The version of this I'm familiar with is T-Mobile's old CVVM protocol. During initial setup, the device will send a text message containing "Activate:dt=6" to the number 122 and T-Mobile will reply with (in decoded form):

    pw_len=4-9
    vs_len=10
    u=<IMAP username>
    pw=IMAP password>
    rc=0
    st=R
    ipt=148
    srv=e7.vvm.mstore.msg.t-mobile.com
    lang=1|2|3|4
    g_len=180

If visual voicemail is already enabled, then sending the "Status:dt=6" SMS to 122 will also result in the same reply. Putting the credentials in an IMAP client will work and it doesn't have to go over the phone's cellular connection. You can even use curl:

    curl -v imaps://<USERNAME>:<PASSWORD>@e7.vvm.mstore.msg.t-mobile.com/

T-Mobile has deprecated this protocol though. New activation messages will fail with a blocked status:

    rc=0
    st=B
    srv=vvm.mstore.msg.t-mobile.com

T-Mobile replaced this CVVM protocol with two HTTP based protocols: "mstore" (used by OEMs like in the dialer app on Google Pixels and OnePlus devices) and "cpaas" (used by T-Mobile's first party visual voicemail app). I've been working on an open source client for mstore for use with open source Android OS's, like GrapheneOS.

In case anyone is interested, the vvmd wiki (visual voicemail implementation for Linux phones) has information on how several carriers implement VVM: https://gitlab.com/kop316/vvmplayer/-/wikis/Visual-Voicemail.... AT&T's is especially nasty.

[lxgr]

I'm not sure if Visual Voicemail really uses silent SMS, but even older phones had a series of indicators such as "voicemail waiting", "message waiting" etc. which the network could control via binary SMS payloads.

By sending one that clears all of them in a network that doesn't use them (or sending one equivalent to the current state for one that does), you can achieve the outcome of initiating SMS-MT (mobile-terminated) delivery to a given ME (phone) without any user notification.

SMS delivery by necessity involves paging the device, revealing its location at a finer level (base station instead of paging area).

So I wouldn't say silent SMS were designed as a spying tool, but they're one out of several ways to silently "ping" a phone and force it to communicate with the network without having to wait for it to cross location area boundaries, get or make a call etc.

[advisedwang]

Visual voicemail is where an app on your phone can show you a list of voicemails and you can click a button to play them, as opposed to you having to dial a number to access voicemail (the old "press 2 to hear the next message" stuff).

[miki123211]

They're not privacy holes by design, but they're not privacy friendly by design either.

When these things were designed, privacy wasn't really a concern and wasn't really thought about in the way it is now. The assumptions were very different, it was assumed that only large and trusted companies could get on SS7 and those would play by the rules, or else face the wrath of the government. Now, a small carrier in a third-world country that routinely violates human rights can get that access.