SMS Replacement is Exposing Users To Text, Call Interception Thanks To Sloppy Telecos (vice.com) 32
A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. From a report: The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS. "I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call.
SRLabs researchers Luca Melette and Sina Yazdanmehr will present their RCS findings at the upcoming Black Hat Europe conference in December, and discussed some of their work at security conference DeepSec on Friday. RCS is a relatively new standard for carrier messaging and includes more features than SMS, such as photos, group chats, and file transfers. Back in 2015, Google announced it would be adopting RCS to move users away from SMS, and that it had acquired a company called Jibe Mobile to help with the transition. RCS essentially runs as an app on your phone that logs into a service with a username and password, Nohl explained.
SRLabs researchers Luca Melette and Sina Yazdanmehr will present their RCS findings at the upcoming Black Hat Europe conference in December, and discussed some of their work at security conference DeepSec on Friday. RCS is a relatively new standard for carrier messaging and includes more features than SMS, such as photos, group chats, and file transfers. Back in 2015, Google announced it would be adopting RCS to move users away from SMS, and that it had acquired a company called Jibe Mobile to help with the transition. RCS essentially runs as an app on your phone that logs into a service with a username and password, Nohl explained.
This would have never happened... (Score:2, Funny)
...if they had just used iMessage.
Re: (Score:3)
...if they had just used iMessage.
Or SMS -- I hear it's pretty good for texting.
SMS is too regulated to be monetized well (Score:5, Informative)
See:
https://citygro.com/text-and-e... [citygro.com]
Prior Express Written Consent ... Auto Opt-Out Mechanism ... Text Message Content ... Appropriate Texting Times ... Privacy Policy
They don't get to re-write their privacy policies to state "we can sell this to Google, Facebook, DHS, ICE, and China".
Re: (Score:3)
It almost happened. In the early days Apple approached carriers to give them iMessage. Forstall explained that "carriers refused to adopt a standardized iMessage version which had the potential to work across platforms and carriers."
Scott: "We approached the carriers to pursue adding features to the existing texting systems and removing the additional customer costs. For various reasons, from the difficulty of extending the existing standards to challenges with interoperability between texting systems and c
Re: (Score:2)
This is a feature, not a bug.
Is that you, Lennart [wikipedia.org]? :-)
Re: (Score:2)
If Karsten Nohl talks about your protocol (Score:3, Informative)
Lol true! (Score:2)
Any email from Karsten Nohl is going to have me scared.
Sloppy Telecos (Score:2)
I am also concerned about sloppy eddittors.
Re: (Score:3)
Maybe egg on my own face? The original article uses telecos as well instead of telcos.
Probably Insecure By Design (Score:3)
Re: (Score:2)
everything you can buy with money "leaks" your data to certain "power centres"
Cash. The only recognizable face in the transaction is Ben Franklin.
Surprised? (Score:1)
"I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call.
I'm not. Chip-and-PIN was proved weak and broken for nearly ten years in Europe before banks rolled it out to USA and the rest of the world. Companies are there to make profit for their shareholders. Security (or lack thereof) is just a cost of doing business.
Re:Surprised? (Score:4, Informative)
To truly break chip and pin you'd have to be able to clone a card (the chip, not just the credit card number or the magnetic stripe) or get the pin from a stolen card. Which no one has done.
That MITM attacks at the terminal can read the pin, credit card number or change the transaction ... well DUH. No proof needed, that's a priori knowledge. That you could fake a pin bypass transaction without compromising the terminal was a bit sloppy, but pin bypass transactions are highly suspect to begin with and that banks should have been checking them far more carefully. This was partly on the design of the terminals, but had much more to do with bank decisions on how much security to demand from transactions.
Re: (Score:2)
Here in the US it's so broken that you don't have to clone the chip. Chips wear out so reliably fast that the card readers will let you default to the magnetic strip after a few failed readings. This lets people clone the magnetic strip alone, which they've been doing for years.
Also you can bypass the PIN simply by using credit instead of debit, negating any security the PIN offered if someone gets your physical card. On paper chip cards are great, but here they've bent over backwards to make them idiot-fri
Re: (Score:2)
Really? I've yet to see a broken chip. There were some (a lot) of problems because of a software bug in 2010 (the software was thinking is 2016 or something) but other than that the only way to break one is to cut it in half or microwave it as far as I know. And now with the contactless options I highly doubt this can be a concern.
On the other hand I hate that not many banks are even offering the option to disable the mag-stripe (never mind to make it even disabled by default
Re: (Score:2)
Contactless would fix that problem, but only if they ditch the mag strip. I run a register, and people that use their card a lot will literally wear the contact point down. You can see the wear. This is the age of never having cash, so I'm sure some of those cards are used 10 times a day easy.
Re: (Score:2)
Chip and PIN would at least set the barrier higher than what we have now in the US. Right now, all it takes is snarfing someone's card, and a fraudster can make transactions. Capture the CVV code, card-present transactions. No, it isn't 100%, but we are talking about better than nothing.
At least more and more places are accepting Apple Pay. I'm no Apple fan, but the fact that Apple Pay has not had any significant (or even suspected) breaches gives good faith in that technology. At a gas pump, it takes
"Rich" (Score:5, Insightful)
So when the internet (data) dies (Score:3)
Re: (Score:1)
"You won't get any messages. Neat. One of the biggest advantages of SMS is that it didn't rely on the 'data' part of your cell phone service."
Teens nowadays use data only sim cards. They don't call anybody ever.
Re: (Score:1)
AFAICT T-Mobile doesn't use the "phone" part of your cell phone service either - their phones now run VOLTE unless you still use a Windows Phone that only works on the original 4G bands. So even making calls is using data. On the plus side, without me asking, they've upgraded my Metro service from 2GB of data to 10GB of data, for the same price, over the last 2-3 years.
Re: (Score:3)
AFAICT T-Mobile doesn't use the "phone" part of your cell phone service either - their phones now run VOLTE unless you still use a Windows Phone that only works on the original 4G bands.
[citation needed]
funny (Score:2)
Re: (Score:2)
In 4G there's ONLY data. Everything including SMS and voice goes over IP. There are already 4G-only providers and some big ones (worldwide).
Epic failure by design (Score:3, Informative)
One random bit I stumbled upon from RCS version 11 manual dated October 2019 that summed it up for me: "IMS AKA with IPsec is the preferred long-term approach in IMS for access signaling security from a cellular PS network."
Translation: No security is the preferred long-term approach.
In Internet land people freak out if you run a TLS server with marginally secure cipher suites no browser released this decade would ever use.
In mobile land you get an Atta boy when you go the extra mile and do the equivalent of running a server loaded with nothing but export quality ciphers.
Oh, good (Score:2)
I was just thinking that Slashdot needed more astroturfing. And here it is!
Re: (Score:2)
"I was just thinking that Slashdot needed more astroturfing. And here it is!"
Are you by any chance THE Bruce Dickinson?
won't work on my phone (Score:2)
I have a "smart" phone because texting on a flip-phone is too much work. However, I have no data plan (blocked on both the phone and the carrier). I rarely use WiFi (home is wired).
If the carriers ever shut off SMS messaging or refuse to have an RCS to/from SMS gateway, then I stop texting.