Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Communications AT&T Verizon IT Technology

SMS Replacement is Exposing Users To Text, Call Interception Thanks To Sloppy Telecos (vice.com) 32

Posted by msmash from the security-woes dept.
A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. From a report: The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS. "I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call.

SRLabs researchers Luca Melette and Sina Yazdanmehr will present their RCS findings at the upcoming Black Hat Europe conference in December, and discussed some of their work at security conference DeepSec on Friday. RCS is a relatively new standard for carrier messaging and includes more features than SMS, such as photos, group chats, and file transfers. Back in 2015, Google announced it would be adopting RCS to move users away from SMS, and that it had acquired a company called Jibe Mobile to help with the transition. RCS essentially runs as an app on your phone that logs into a service with a username and password, Nohl explained.
This discussion has been archived. No new comments can be posted.

SMS Replacement is Exposing Users To Text, Call Interception Thanks To Sloppy Telecos More

SMS Replacement is Exposing Users To Text, Call Interception Thanks To Sloppy Telecos

Comments Filter:

  • This would have never happened... (Score:2, Funny)

    by Anonymous Coward

    ...if they had just used iMessage.

    • ...if they had just used iMessage.

      Or SMS -- I hear it's pretty good for texting.

    • Re: (Score:3)

      by jimbo ( 1370 )

      It almost happened. In the early days Apple approached carriers to give them iMessage. Forstall explained that "carriers refused to adopt a standardized iMessage version which had the potential to work across platforms and carriers."

      Scott: "We approached the carriers to pursue adding features to the existing texting systems and removing the additional customer costs. For various reasons, from the difficulty of extending the existing standards to challenges with interoperability between texting systems and c

  • If Karsten Nohl talks about your protocol (Score:3, Informative)

    by Just Quidding ( 6420970 ) on Friday November 29, 2019 @05:27PM (#59469584)
    then you know you fucked up big time.

  • I am also concerned about sloppy eddittors.

  • Probably Insecure By Design (Score:3)

    by dryriver ( 1010635 ) on Friday November 29, 2019 @05:43PM (#59469618)
    In the 21st Century, everything you can buy with money "leaks" your data to certain "power centres". Not a big surprise that the Telcos fuck up SMS 2.0 in the same way.

    • Re: (Score:2)

      by PPH ( 736903 )

      everything you can buy with money "leaks" your data to certain "power centres"

      Cash. The only recognizable face in the transaction is Ben Franklin.

  • Surprised? (Score:1)

    by Anonymous Coward

    "I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call.

    I'm not. Chip-and-PIN was proved weak and broken for nearly ten years in Europe before banks rolled it out to USA and the rest of the world. Companies are there to make profit for their shareholders. Security (or lack thereof) is just a cost of doing business.

    • Re:Surprised? (Score:4, Informative)

      by Pinky's Brain ( 1158667 ) on Friday November 29, 2019 @07:06PM (#59469726)

      To truly break chip and pin you'd have to be able to clone a card (the chip, not just the credit card number or the magnetic stripe) or get the pin from a stolen card. Which no one has done.

      That MITM attacks at the terminal can read the pin, credit card number or change the transaction ... well DUH. No proof needed, that's a priori knowledge. That you could fake a pin bypass transaction without compromising the terminal was a bit sloppy, but pin bypass transactions are highly suspect to begin with and that banks should have been checking them far more carefully. This was partly on the design of the terminals, but had much more to do with bank decisions on how much security to demand from transactions.

      • Re: (Score:2)

        by Rakhar ( 2731433 )

        Here in the US it's so broken that you don't have to clone the chip. Chips wear out so reliably fast that the card readers will let you default to the magnetic strip after a few failed readings. This lets people clone the magnetic strip alone, which they've been doing for years.

        Also you can bypass the PIN simply by using credit instead of debit, negating any security the PIN offered if someone gets your physical card. On paper chip cards are great, but here they've bent over backwards to make them idiot-fri

        • Chips wear out so reliably fast

          Really? I've yet to see a broken chip. There were some (a lot) of problems because of a software bug in 2010 (the software was thinking is 2016 or something) but other than that the only way to break one is to cut it in half or microwave it as far as I know. And now with the contactless options I highly doubt this can be a concern.

          On the other hand I hate that not many banks are even offering the option to disable the mag-stripe (never mind to make it even disabled by default

          • Re: (Score:2)

            by Rakhar ( 2731433 )

            Contactless would fix that problem, but only if they ditch the mag strip. I run a register, and people that use their card a lot will literally wear the contact point down. You can see the wear. This is the age of never having cash, so I'm sure some of those cards are used 10 times a day easy.

    • Chip and PIN would at least set the barrier higher than what we have now in the US. Right now, all it takes is snarfing someone's card, and a fraudster can make transactions. Capture the CVV code, card-present transactions. No, it isn't 100%, but we are talking about better than nothing.

      At least more and more places are accepting Apple Pay. I'm no Apple fan, but the fact that Apple Pay has not had any significant (or even suspected) breaches gives good faith in that technology. At a gas pump, it takes

  • "Rich" (Score:5, Insightful)

    by Malays Boweman ( 5369355 ) on Friday November 29, 2019 @07:12PM (#59469732)
    Often a code word for bloated, buggy and vulnerable.

  • So when the internet (data) dies (Score:3)

    by Malays Boweman ( 5369355 ) on Friday November 29, 2019 @07:16PM (#59469742)
    You won't get any messages. Neat. One of the biggest advantages of SMS is that it didn't rely on the 'data' part of your cell phone service.

    • Re: (Score:1)

      by Anonymous Coward

      "You won't get any messages. Neat. One of the biggest advantages of SMS is that it didn't rely on the 'data' part of your cell phone service."

      Teens nowadays use data only sim cards. They don't call anybody ever.

    • AFAICT T-Mobile doesn't use the "phone" part of your cell phone service either - their phones now run VOLTE unless you still use a Windows Phone that only works on the original 4G bands. So even making calls is using data. On the plus side, without me asking, they've upgraded my Metro service from 2GB of data to 10GB of data, for the same price, over the last 2-3 years.

      • Re: (Score:3)

        by SeaFox ( 739806 )

        AFAICT T-Mobile doesn't use the "phone" part of your cell phone service either - their phones now run VOLTE unless you still use a Windows Phone that only works on the original 4G bands.

        [citation needed]

      • My "2G" flip-phone still works fine on T-Mobile and I do not have data as part of my plan at all. $3 a month prepaid ftw.

    • In 4G there's ONLY data. Everything including SMS and voice goes over IP. There are already 4G-only providers and some big ones (worldwide).

  • Epic failure by design (Score:3, Informative)

    by Anonymous Coward on Friday November 29, 2019 @07:42PM (#59469822)

    One random bit I stumbled upon from RCS version 11 manual dated October 2019 that summed it up for me: "IMS AKA with IPsec is the preferred long-term approach in IMS for access signaling security from a cellular PS network."

    Translation: No security is the preferred long-term approach.

    In Internet land people freak out if you run a TLS server with marginally secure cipher suites no browser released this decade would ever use.

    In mobile land you get an Atta boy when you go the extra mile and do the equivalent of running a server loaded with nothing but export quality ciphers.

  • I was just thinking that Slashdot needed more astroturfing. And here it is!

    • "I was just thinking that Slashdot needed more astroturfing. And here it is!"

      Are you by any chance THE Bruce Dickinson?

  • I have a "smart" phone because texting on a flip-phone is too much work. However, I have no data plan (blocked on both the phone and the carrier). I rarely use WiFi (home is wired).

    If the carriers ever shut off SMS messaging or refuse to have an RCS to/from SMS gateway, then I stop texting.

Slashdot Top Deals

If you want to put yourself on the map, publish your own map.

Close