German expert's statement on SMS sender identification in Amphon's case

Poonsuk Poonsukcharoen, lawyer for Amphon Tangnoppakul, has published a letter from an expert on telecommunication technology in Germany on her Facebook page.  The letter was intended to be used in the Appeals Court before the appeal was withdrawn.


SR Security Research Labs GmbH   Veteranenstr 25   10119 Berlin

Cross Cultural Foundation (CrCF)
111 Soi Sitthichon Samsennork Huaykhwang
Bangkok 10310

Dr. Karsten Nohl
Chief Scientist

Berlin, January 30th 2012

Expert statement on SMS sender identification

To whom it may concern:

Security Research Labs is a risk management think tank in Berlin, Germany that advises European telecommunication network operators and governments in mitigating risks arising from cell phone technology.

We were asked to provide a subject matter expert opinion on the reliability of mobile phones identifiers used in determining the sender of an SMS message.

The attached statement was prepared based on extensive knowledge of GSM standard, the operation of GSM networks in general, and measurements of the GSM networks in Bangkok, Thailand in particular. The statement reflects the current state of GSM security research and was prepared to the best of our knowledge.

Best Regards,

Dr. Karsten Nohl


Expert statement on SMS sender identification

This statement discusses the question of whether a mobile phone sending a text message can be identified reliably based on data records in the phone network. This question is to be investigated for the dtac GSM network in Bangkok, Thailand.

Question 1: Does an SMS identify a phone (IMEI)?

An SMS transaction contains multiple small data packets exchanged between a phone and the radio network. These packets negotiate encryption, establish the transaction type, and exchange data. One example SMS transition on the dtac network included 107 packets.

Phones are identified by their IMEI numbers, which act as serial numbers.

One packet, called the “Cipher Mode Command”, can ask the phone to send its IMEI number in the next packet. However, the dtac network does not use this option in SMS transactions as shown in Figure 1. This was verified at multiple locations in Thailand.

No other message in an SMS transaction can include the IMEI number.

Answer 1: An SMS transaction on the dtac network does not identify a phone (IMEI).

[See images below]

Figure 1. Partial trace of an SMS transaction on the dtac network in Bangkok, Thailand. The “Ciphering Mode Command” message does not ask the phone to send its IMEI number.


Question 2: How does the dtac network assign an IMEI to an SMS transaction?

The mobile network and phones execute different types of transactions including SMS messages and voice calls. The only type of transaction on the dtac network that include the IMEI number are “Location Update” transactions. These transactions are done when the phone is switched on, when it changes location significantly (ie, to a different part of a city), and also periodically.

The phone identity included in a dtac SMS record most likely is copied from the most recent “Location Update” the network observed for a given subscriber account.

Answer 2: The IMEI is most likely copied from an older transaction into the dtac SMS record.

Question 3: How does the dtac network assign a location to an SMS transaction?

Answer 3: The possibility exists that the location is copied from an older transaction into the dtac SMS record. Further information from dtac is needed for a conclusive answer.


Question 4:  Can an SMS message be sent without a phone?

Answer 4: SMS messages can be sent from the Internet with arbitrary spoofed sender numbers. If the dtac network creates delivery records for such transactions, it would likely include the IMEI number of the most recent “Location Update” message from the spoofed phone number. Further information from dtac is needed for a conclusive answer.


Question 5: Can individuals observe IMEI numbers on the GSM network?

“Location Update” transactions that include a phone’s IMEI number are sent encrypted over the air. The GSM standard uses outdated security that can be broken within seconds.

Software that has been available on the Internet since 2008 can be used to break the encryption of a “Location Update” message in less than one minute on a standard computer.

Since the release of the software, it has been installed in hundreds of locations around the world. Engineering students take less than one week to create a functioning intercept and decryption setup.

Answer 5: Technologically-savy individuals can extract IMEI numbers from GSM messages.


Question 6: Can SMS be sent from a phone using somebody else’s identify?

The IMEI number on almost all phones can be changed using widely available software.

Answer 6: An individual can easily change the IMEI of his/her phone to the IMEI of somebody else’s phone.



The dtac SMS transaction records are not reliable in identifying a phone as the emitter of an SMS message. At least two possibilities exits where the data diverts from reality:

  • SMS injected into the phone network from the Internet or SS7 network may be falsely linked to a “Location Update” message of somebody else’s phone
  • Phone identities can be changed to the phone of somebody else in the same part of a city after observing a transaction of the other phone with the GSM network which requires only readily available hardware and software