Massive SMS Flaw Gives An Attacker Full Access To Your Accounts For $16
from the whoops-a-daisy dept
So last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet's security and privacy issues. In part because TikTok wasn't doing anything that wasn't being done by thousands of other companies in a country that can't be bothered to pass even a basic privacy law for the internet. Also, any real security and privacy solutions need to take a much broader view.
For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation's telecom networks, whether we're talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.
Point being, hysteria over the potential threat of a Chinese app packed with dancing tweens trumped any real concerns about widespread, long-standing security vulnerabilities and privacy issues, particularly in telecom. This week this apathy was once again on display after reporters found that a gaping flaw in the SMS standard lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages. All for around $16:
"I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.
Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16."
Carriers told the reporter they couldn't replicate the problem and that they'd done their best to lock it down (not that there's any level of transparency or regulatory accountability that would let somebody verify that claim). The hackers involved disagree. This wasn't a SIM hijack, another problem we really haven't done enough about. In this case, the hacker used a service from a company dubbed Sakari, which sells SMS marketing and mass messaging services, to reroute the reporter's messages to them. With little in the way of serious screening of more nefarious users, apparently.
That in turn opens the door to having all your online accounts compromised, all without the target being any the wiser. It's a relatively trivial attack to accomplish, and exposes a general lack of any meaningful authentication process to ensure it isn't exploited by bad actors. As an aside, there's a tool you can now use to confirm whether your text messages have been compromised. Meanwhile, security researchers warn that there are so many SMS vulnerabilities now, it's time to stop using SMS for sensitive security purposes.
Meanwhile, the failure by regulators and industry to police and prevent the flaw also (once again) showcases how Ajit Pai's decision to turn the FCC into a mindless rubber stamp for industry had a much broader impact than just killing net neutrality, says Senator Ron Wyden:
"It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack."
While everybody professes to be concerned about internet security and privacy, we're routinely only paying lip service to the concept. The internet of things is seen more as something funny than a massive security and privacy headache. The Trump TikTok hysteria saw more press and national attention than any of a laundry list of more problematic telecom flaws. Having a basic privacy law for an era in which there are a dozen major hacks, breaches, or data leaks every week is treated as something that's optional. As is functional, basic regulatory oversight at agencies like the FCC.
Most modern security and privacy problems require holistic, collaborative efforts between government, the media, industry, and activists. Instead, more often than not, knee jerk clickbait hysteria has us routinely distracted from much broader problems we seem intent on doing little too little to address.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
"As an aside, there's a tool you can now use to confirm whether your text messages have been compromised."
Has anyone vetted the tool?
[ link to this | view in thread ]
Re:
You must be referencing this: https://okeymonitor.com/
Haven't vetted it, but seriously looking into trying it out. How it works sounds interesting since it supposedly just snapshots your config in the SMS system and throws a notification to alternate means if that config changes.
[ link to this | view in thread ]
Re:
Read the article linked after the Okey link.
[ link to this | view in thread ]
Best securtiy
That I have ever seen, was NONE.
It makes it easy to monitor or worry about. Find another way to have privacy if you need it.
Like a 2nd program that Does its OWN encoding, rather then depending on 1 created LONG ago.
[ link to this | view in thread ]
Anyone have Ajit Pai's number?
Obviously a joke...
Would be funny though...
[ link to this | view in thread ]
Oh look, my shocked face.
We never see my shocked face.
[ link to this | view in thread ]
You know what's really dumb about this? Banks are one of the groups guilty of misusing SMS for second-factor authentication, when they've already given most of their customers a (reasonably) secure computer that's perfect for it: a debit/credit smartcard. They just need to get phones talking to the cards over NFC, and provide USB card readers for those with computers and no smartphones ($12 retail, surely less than $5 in bulk); or use cards with embedded LCD displays that can show temporary numeric codes (such cards do exist).
When they started putting chips in their cards, I fully expected this. If they were smart, they might even stick like 16 TOTP keys on there, and let people use their online banking interfaces to connect third-party services to this 2FA—collecting a small one-time fee from the operator.
[ link to this | view in thread ]
Re:
Hmmm... with the amount of known cloning and other compromises with cards and the fact that your system means that anyone needing their card blocked or replaced would lose access to all online banking functions and well as many in person ones, I don't think that's a great idea.
The better solution is one my main bank uses here in Spain - they have a secure phone app where 2FA messages are routed to and that's required to confirm transfers, online purchases, etc., and it automatically alerts for any transaction on the account as well as online account logins. So, unless someone gets full access to your phone you're usually covered. It's not perfect, but it seems like a better system to me.
[ link to this | view in thread ]
Re: Re:
Citation? I know there are various exploits, but to my knowledge, it's not the chips being attacked or cloned.
How do you know it's "secure"? What does it do that a desktop web browser can't? Phones get compromised, and the app will have the password; if it also has the 2FA secret, that's not really a second factor.
And what about people without smartphones?
[ link to this | view in thread ]