Phreaking with Class0 and MWI in 2021

Couldn’t think of a nice title. There used to be this thing I used to do back in 2007-2010, which was sending Class0 and Message Waiting Indicator (MWI) messages to friends using a pretty funny setup. For reasons, I won’t reveal how I send these non-standard messages. More than 10 years later, I decided to experiment and see how far mobile operating systems have come in handling these potentially dangerous messages.

Introduction

Class0 messages are also known as Flash Messages. They’re meant to popup on the screen of your phone, usually occupying full screen or at least a large part of it. Generally, Class0 messages are used to relay emergency or carrier messages, but have also been known to used for phishing or spam messages.

MWI messages, specifically, Voicemail MWI, are what carriers use to tell your phone you have a voicemail. The carrier is supposed to send an activation message when a voicemail is received, prompting the phone to receive a notification to check their voicemail. If the voicemail is deleted or heard, a deactivation message is sent to remove the notification. In this day, who really has a voicemail though? What if one is sent an activation message when there is no voicemail to check?

Class0 Messages on iOS

Class0 Message on iPhone 4S running iOS 8.4.1

This has come a long way, actually. In the past, Class0 messages took up the entire screen and left nothing but a dismiss button. There’s no way to tell who sent the message, so this was actually a pretty good spam/prank target. You can read my anecdote on this in a section below.

Class0 Message on iPhone 4S running iOS 9.3.6, with description from “Why did I receive this message?”
Class0 Message on iPhone 12 Pro Max running iOS 14.7.1, with description from “Why did I receive this message?”

Apple has corrected the UI starting from iOS 9 and now includes a button that displays more information on what a Class0 message is, and that’s pretty much enough to warn users being targeted by phishing or scam messages. However, sending a Class0 message to iOS still does not leave a trace of the message under the Messages app, and does not display the sender’s phone number.

Class0 Message intercepted by locked iOS 14 and converted into a normal message notification

That being said, starting from iOS 14, it seems that if the device is locked and it receives a Class0 message, it will be sent to Messages and displayed as a normal text message. This also means that when the iOS device is attached to an Apple Watch and locked, the Class0 message will be shown as a normal text message on the watch notifications, complete with the sender’s phone number. Thus, this is no longer a reliable way to deliver anonymous Class0 messages unless you can predict if the person has the phone unlocked!

Class0 Messages on Android

Class0 Message on Samsung Galaxy S20+ running Android 11 (left), and HTC Sensation XL running Android 4.0.3 (right)

This hasn’t changed much. There has never been much success in creating the same anonymous level of messaging someone when they’re using an Android device. While Android displays the message as a pop-up, the phone number is outright shown in later versions of Android, and the option is given to save the message as a normal text message thereby revealing the number in all versions.

Class0 Messages on Other Devices

Class0 Messages on HTC HD7 running Windows Phone 7 (left), Nokia Lumia 1020 running Windows Phone 8 (middle), and Microsoft Lumia 950XL running Windows 10 Mobile (right)

Actually, the only “other” devices I have are my old Windows Phone devices. Surprisingly still work. I vaguely remember Windows Phone 7 displaying Class0 messages as coming from “Network Administrator”, but I couldn’t replicate it. Across Windows Mobile 6, Windows Phone 7 and 8, and Windows 10 Mobile, Class0 Message consistently displayed as a pop-up but with an option to save the message and fully displaying the sender’s number.

Class0 Message on a HTC HD2 running Windows Mobile 6.5

Message Waiting Indicator – Voicemail Activate

This is a fun one. Sending a MWI Voicemail Activate to someone who doesn’t have a voicemail results in a voicemail notification and a badge notification over Phone / Voicemail. Users can’t get rid of this notification because the carrier never sends a signal to clear it! The only way to fix this is to send a MWI Voicemail Deactivate from the attacker (or well, reset the phone).

MWI Voicemail Activated on iPhone 12 Pro Max running iOS 14.7.1 with stuck badge notifications in Home Screen and Phone app (left), Samsung Galaxy S20+ running Android 11 with stuck notification (middle), and Microsoft Lumia 950XL running Windows 10 Mobile with stuck live tile and nag in Phone app (right)

The best part is this pretty much affects every phone out there. That’s every phone from Windows Mobile 6, Windows Phone 7 and 8, Windows 10 Mobile, iOS, Android, and probably BlackBerry etc. The manifestation of the voicemail nag is different across operating systems, ranging from just an additional icon (on Windows), to a very annoying badge notification (on iOS), to an extremely annoying stuck toast notification (on Android).

Another Interesting Attack – Type0

This absolutely still works today. A Type0 message can be used to ping a number to see if it is currently connected to the network. A receipt is sent to the attacker when the target device receives the message, and nothing is displayed to the user. This is reportedly used by law enforcement to this day, as detailed in this 2021 article here.

Anecdotes from the Past – Error E74

Back in school there was this kid who always had the latest iPhone. This as all the way back in 2010, so this would probably have been the iPhone 4. That was a pretty big deal at the time. Anyway, he was going around bragging about it. I had a HTC Touch Pro2 at the time, minding my own business along the corridor when he walked past me, points at my phone and goes “whatever that can do, the iPhone can do”. I didn’t even know who he was.

So I did some quick digging, found his class, got his number, and started sending him Class0 messages daily. They read, “iPhone Error E74 – Kernel Error – Please contact Apple Support”. I sent this daily, without fail, over the course of 1.5 years till the day we graduated. From a distance, I’d watch him get the message and shake his head in frustration. He was also part of the photography club, so during school sports events when I was in the stands and he was running around taking photos, I’d send the message and my friends and I would have a good laugh at him fuming when he checked his phone.

One year in, I approached him before school started and asked if he’s using an iPhone, because I “just got one and I keep getting an error E74”. He told me that I must have jailbroken the phone wrong and to do it again. Finally, on graduation day, I sent him separate Class0 messages in succession: “You”, “Have”, “Been”, “PUNKED”. An excellent end to one of my most dedicated (and very childish, in hindsight) pranks. Last I heard, he moved to Android.

By the way, the error message was complete nonsense. I took the “E74” code from the famous Xbox 360 Red Ring of Death.

Anecdotes from the Past – Annoying Voicemail

Another classmate suffered for about 2 hours trying to figure out how to get rid of a voicemail that wouldn’t go away. I sat next to him during a lecture watching him Google and try a lot of different things before I started to feel a little bad and broke it to him. To this day this remains one of my bigger regrets, because I should have let him squirm a little bit more. We’re best friends.

Today’s Issues

Of course, no one sends these messages for scam/phishing/ad purposes these days, especially in Singapore. Actually, I’ve never seen it used in Singapore for illegal reasons. Today, the biggest problems are always with scam calls masquerading as local phone numbers with +65 added at the front, even the local police with +65 999.

Spoofed bank message

To a lesser extent, it is also really easy (not that I’d say how) to send messages that impersonate an official service, such as a local bank notification to someone saying a fund transfer has completed. I suppose this is used less because there are less viable use cases and unless a link is set up, there’s no way for the user to reply that text message. A call on the other hand can keep the person on the line if they get hooked.

Hope this was an interesting read. Please don’t use any of this information for evil and of course, don’t do anything I wouldn’t.