Massive SMS Flaw Gives An Attacker Full Access To Your Accounts For $16

from the whoops-a-daisy dept

So last year, when everybody was freaking out over TikTok, we noted that TikTok was likely the least of the internet's security and privacy issues. In part because TikTok wasn't doing anything that wasn't being done by thousands of other companies in a country that can't be bothered to pass even a basic privacy law for the internet. Also, any real security and privacy solutions need to take a much broader view.

For example, while countless people freaked out about TikTok, none of those same folks seem bothered by the parade of nasty vulnerabilities in the nation's telecom networks, whether we're talking about the SS7 flaw that lets governments and bad actors spy on wireless users around the planet or the constant drumbeat of location data scandals that keep revealing how your granular location data is being sold to any nitwit with a nickel. Or the largely nonexistent privacy and security standards in the internet of broken things. Or the dodgy security in our satellite communications networks.

Point being, hysteria over the potential threat of a Chinese app packed with dancing tweens trumped any real concerns about widespread, long-standing security vulnerabilities and privacy issues, particularly in telecom. This week this apathy was once again on display after reporters found that a gaping flaw in the SMS standard lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages. All for around $16:

"I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16."

Carriers told the reporter they couldn't replicate the problem and that they'd done their best to lock it down (not that there's any level of transparency or regulatory accountability that would let somebody verify that claim). The hackers involved disagree. This wasn't a SIM hijack, another problem we really haven't done enough about. In this case, the hacker used a service from a company dubbed Sakari, which sells SMS marketing and mass messaging services, to reroute the reporter's messages to them. With little in the way of serious screening of more nefarious users, apparently.

That in turn opens the door to having all your online accounts compromised, all without the target being any the wiser. It's a relatively trivial attack to accomplish, and exposes a general lack of any meaningful authentication process to ensure it isn't exploited by bad actors. As an aside, there's a tool you can now use to confirm whether your text messages have been compromised. Meanwhile, security researchers warn that there are so many SMS vulnerabilities now, it's time to stop using SMS for sensitive security purposes.

Meanwhile, the failure by regulators and industry to police and prevent the flaw also (once again) showcases how Ajit Pai's decision to turn the FCC into a mindless rubber stamp for industry had a much broader impact than just killing net neutrality, says Senator Ron Wyden:

"It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack."

While everybody professes to be concerned about internet security and privacy, we're routinely only paying lip service to the concept. The internet of things is seen more as something funny than a massive security and privacy headache. The Trump TikTok hysteria saw more press and national attention than any of a laundry list of more problematic telecom flaws. Having a basic privacy law for an era in which there are a dozen major hacks, breaches, or data leaks every week is treated as something that's optional. As is functional, basic regulatory oversight at agencies like the FCC.

Most modern security and privacy problems require holistic, collaborative efforts between government, the media, industry, and activists. Instead, more often than not, knee jerk clickbait hysteria has us routinely distracted from much broader problems we seem intent on doing little too little to address.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2fa, security, sms