SANS Internet Storm Center Stormcast: SMS Gateway Attacks and Apple AirPlay Vulnerabilities

In the April 30, 2025 edition of the SANS Internet Storm Center Stormcast, Johannes Ullrich, recording from Jacksonville, Florida, delves into attacks against SMS gateways and related tools. He begins by recalling his previous discussions on attacks against Telonica network gateways, standalone devices used to send SMS programmatically. However, most users prefer APIs like Twilio for sending SMS. Ullrich examines logs to identify other attack methods against these SMS gateways. He notes several techniques, including attempts to detect WordPress plugins dedicated to sending SMS. These plugins are often targeted by attacks aiming to exploit their vulnerabilities. He also mentions scans for SMS API configuration files, such as ENV files containing credentials. Twilio is particularly mentioned due to its popularity. Ullrich also talks about unique tools like SMS pycript and SMS_bomber.exe, the latter designed to quickly send SMS via multiple APIs and proxies. He emphasizes the importance of protecting credentials to avoid high bills and a reputation for spam or fraud. The video also addresses the 23 vulnerabilities discovered in Apple's AirPlay, a protocol for streaming audio and video over the local network. Although these vulnerabilities have been patched, they highlight the risks associated with pre-authentication and the attack surface of the protocol. Attack types include remote code execution without user interaction, vulnerabilities in AirPlay speakers and receivers, and flaws in CarPlay devices exploitable via Bluetooth and USB. Ullrich advises checking AirPlay settings on Apple devices, particularly in AirDrop and Handoff settings, to limit access to current users or completely disable AirPlay. He concludes by reminding viewers of the importance of updating systems to protect against these vulnerabilities. For more details, watch the full video: https://www.youtube.com/watch?v=KkwGyv7MDNg