What is AT&T doing at 1111340002?
Welcome to the magical world of proactive SIMs.
From time to time, an attorney will request cellphone activity records from a mobile operator, and those records will show some text messages to and from strange numbers. There is a good chance that the person who uses the phone never sent or saw these messages. And if this happens in the middle of a legal case where cellphone activity is an issue, the resulting confusion can be a source of doubt and error.
In the Spring of 2021, an attorney contacted me about a mysterious SMS to 1111340002, at the center of a wrongful death lawsuit, with allegations of distracted driving. Here is what I found…
TL; DR: The driver’s AT&T SIM sent an SMS to 1111340002 to report that the phone had installed an automatic software update. The SMS event had nothing to do with any specific actions by the driver. It took some lab work and a subpoena to AT&T to sort this out.
The SIM used for this investigation is the one in the photo. It was issued by AT&T, probably in 2015.
The tools used for this investigation are well known in the mobile network security research community, and all based on open source designs that can be verified by other parties:
- YateBTS, based on OpenBTS, used to simulate a cellular network.
- SimTrace2, a tool for monitoring communication between the SIM and the phone.
- Wireshark, a protocol analyzer that can decode the outputs of YateBTS and SimTrace2.
I also used a variety of phones, from Nokia, Samsung, and others.
With this test bench, I could simulate a cellular network and then record examples of the phones sending the SMS to 1111340002.
And, for the record, the actual test bench was located in Romania. This was convenient because it meant that I never had the risk of the SIM contacting the real AT&T network and getting disabled by AT&T, or the risk of handsets in the room accidentally trying to attach to my fake AT&T cell site.