From Newsgroup: comp.misc
This SMS gateway box has a lot of legitimate users, facilitating
communication with all kinds of remote industrial equipment over the
cellular network <
https://arstechnica.com/security/2025/10/that-annoying-sms-phish-you-just-got-may-have-come-from-a-box-like-this/>.
However, it also has a few security flaws. And various of the treacherous-miscreant persuasion have been exploiting those flaws to
turn some of these boxes into sources of unwanted SMS fraudulent spam
phishing attacks -- rCLsmishingrCY, in short.
This part is slightly puzzling, though:
While the password was encrypted, the file also included the
secret encryption key used and an IV (initialization vector),
allowing an attacker to obtain the plaintext password and then
gain full administrative access.
An IV cannot be kept confidential. It is a random quantity used to
initialize the encryption/decryption algorithm, so it obviously cannot
be encrypted to begin with. Nevertheless, its use does improve the
security of the encryption, because it avoids the situation where the
same plaintext repeated twice gives rise to the same encrypted
bitstream, making it easier for an attacker to spot patterns in the
message.
--- Synchronet 3.21a-Linux NewsLink 1.2