The Problem with SMS

SMS has been around since 1992. It is a very familiar and convenient technology to use, so it is easy not to understand the dangers it may present from a cybersecurity perspective. Vodafone created the first text message in 1992, and sadly, it has not progressed much in terms of how it works since then. 

Mobile technology has improved exponentially since its inception; bandwidth, the number of connections made, and the fidelity of phone calls are all much better. But the underlying infrastructure used for SMS and the associated protocols have not moved on. 

One of the major problems with SMS is with the signalling protocol: SS7 

SS7 is the old standard on which 2G and 3G are based. Even though there has been massive progression with 4G, there are still vulnerabilities to consider, as is the case with most protocols. 4G, however, is not fixing or addressing the original issue with SMS. Which is that SMS always has to go back to the SS7 network. 

Even when an SMS originates from a 3G network and the receiver is on a 4G network, the message has to transverse through the 3G network before it ends up on the 4G network. Effectively using old technology. 

SS7 signalling protocol has been around since 1975, and it is archaic to say the least. Remarkably, we are still dependant on SS7 as a protocol. 

Why should we be concerned that we are still using it? 

The intention was never to open SS7 up to everyone. The consensus was that major telecoms companies would be the only ones with access to it. But in the meantime, access has been sold off, and SS7 has become more accessible. Since there is no locking mechanism to authenticate who the sender of an SMS is, abuse takes place. Messages are altered, and floodgates are open to allow anyone to join the SS7 network and abuse privileges. 

How could a malicious party take advantage of the low-security levels with SS7? 

As mentioned earlier, the intention was for SS7 to be a closed-off network. The technology was supposed to be very guarded and locked down. Only specific companies were supposed to have access to it. 

Spoofing is the most targeted malicious activity taking place. Spoofing is when you send a text message purporting to be someone else. SS7 does not provide the tools for authentication, and there is no verification that you are who you say you are. The ‘plain text’ aspect of SMS impacts confidentiality and opens the technology up for vulnerabilities. Networks do not check who the sender of the message is, which means that anyone can claim to send a message from any phone number and with any name.  

Imagine a scenario where your kids are traveling abroad, and you get a message with only their names. As attackers have access to what you post on your Facebook or social media pages, you are left vulnerable by what you say on public platforms. You could easily be exploited in this scenario when you are requested to send money, for example. 

Take the Royal Mail scam as another example – it was a very well-planned scam. They timed it with the delivery of actual parcels to people. You would receive an SMS where urgent action was required; you needed to pay a shipping fee and would suffer consequences if no payment was made. 

Spoofing is made worse by the fact that perpetrators can use the companies real phone number. Seeing the number on a text message is no guarantee of authenticity. The same goes for your bank. You can receive a message to click on a link and confirm a transaction, and there is no reason not to trust it.  

Are we trusting SMS more because so many institutions are using it? 

People incorrectly assume that SMS is authenticated when the message is sent via the trusted app. There are developments made concerning SMS over 5G and hopefully, that will make a difference. The signalling protocol, Diameter, has improved SMS a little over 4G. The problem is that 2G and 3G technology are still used, and SMS is backwardly compatible. If you send a message over 2G or 3G to a 4G network, you will still run into the same authentication problems. 

The issue always comes back to backward compatibility and ease of use. It is easy to develop a replacement service for SMS, but when the recipient of your message does not have a smartphone, SMS is the only way to go. To move forward, some of the technologies, like 3G, may have to be turned off. It will have to happen at some point, but the decision will be difficult. Like email, SMS is starting to die out. That is when phishing is going to become a lot harder. 

With television, analogue could be switched off, and the impact wasn’t that dire. But with SMS it is different. When television switched over to analogue, you were not putting your security at risk when you turned off the signal. But personal data is at risk by using SMS. 

How are the bad guys taking advantage of the vulnerabilities SIM Swopping holds? 

A lot of social engineering is involved in SIM Swopping. It requires an attacker to know the details of a specific target. The attacker would have to call up the network provider of the target, suggest they have lost their phone, and require a new SIM card to be sent out to a new address. Once the attacker receives the new SIM card, the old SIM card can be deactivated. The attacker can log in to a service, change passwords, and go through the 2-factor authentication process to gain full access to the service. 

You can even change your network provider by making use of text messaging. It is no longer required to call your provider to get a PUK number – you can merely make use of texting. If you, as an attacker, are quick enough and fast enough, you would be able to spoof a number and intercept a PUK code. The PUK code can be forwarded to another provider, and you can request to change network providers. 

Jack Dorsey’s Twitter account was hacked because of SIM Swop fraud. His service went down, and he assumed it was due to poor signal. Only once he rang up his network provider it was confirmed that another SIM card was added to his account. And the social engineers managed to hack his Twitter account. All thanks to the power of persuasion. All you need to do is put a bit of emotion and urgency into your plea, and it is astounding how people will react! 

Something similar happened with cryptocurrency, where high profile members of the public, with large stores of cryptocurrency, had their SMS manipulated for 2-factor authentication to allow hackers to get access to their digital wallets. These were the wallets on the actual exchanges themselves. When you transfer everything you have into a bitcoin wallet, generate a private key, and ensure that the key is stored in a safe place, security cannot be breached. Make sure that the private key is written down on a piece of paper, or stored in a cold storage wallet on a USB stick. Just make sure you don’t lose the USB stick!  

What is Denial of Service? 

In its basic form, denial of service is when you send a lot of data to congest a service. By using a free app and especially during the age of unlimited SMS bundles, you can send a multitude of texts to one person. The receiver’s phone will continue to process the messages coming through while the network starts queuing them because they cannot get delivered all at once. This creates an inordinate amount of congestion. 

It can be done in combination with spoofing and SIM swopping to ensure that the 2-factor authentication is intercepted so that the real recipient is left unaware. Your phone is not expecting thousands of text messages, and every time it is getting pinged, it is using huge amounts of processing power. When receiving thousands of pings at once, your phone becomes very inefficient, trying to keep up. If you were embarking on nefarious activities then the denial of service scenario could throw the victim off the scent completely. 

The reason why SMS remains popular is that it is ubiquitous. Every phone can send and receive SMS, it is easy to use, and it is cheap and familiar. It is understandable why convenience is prioritised over security.  

What is surprising is that no one is getting up to say that it is a terrible idea to use SMS for a secure messaging application. COVID test results are communicated via SMS! The SMS can easily be hacked to say that there was a mistake with your COVID test and that the results are different from what was previously communicated. Since the message comes from your hospital, there is no reason to question the data. 

What can be done to prevent being a victim of SMS crimes? 

Don’t use SMS! Rather use multi-factor authentication apps. They are really easy to set up, and it keeps all your authentication codes in one place. Signal and WhatsApp are also options as it offers end-to-end encryption security. 

Don’t trust the phone number that you receive an SMS from. Before you respond to any SMS, phone the organisation to ask if they sent the message. Especially if they require you to perform an action, which you may be uncomfortable with. The crux of the matter is – avoid SMS at all costs. 

Please note: The following article has been transcribed and summarised from our podcast of the same title.