Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16
from the don't-try-too-hard dept
It's not sure why journalists keep having to do the wireless industry's job, yet here we are.
Sometime around mid-march, Motherboard reporter Joseph Cox wrote a story explaining how he managed to pay a hacker $16 to gain access to most of his online accounts. How? The hacker exploited a flaw in the way text messages are routed around the internet, paying a third party (with pretty clearly flimsy standards for determining trust) to reroute all of his text messages, including SMS two factor authentication. From there, it was relatively trivial to break into several of the journalist's accounts, including Bumble, Whatsapp, and Postmates.
It's a flaw the industry has apparently known about for some time, but they only decided to take action after the story made the rounds. This week, all major wireless carriers indicated they'd be taking significant steps to the way text messages are routed to take aim at the flaw:
"The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem."
"Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number."
It's a welcome move, but it's also part of a trend where journalists making a pittance somehow routinely have to prompt an industry that makes billions of dollars a year to properly secure their networks. It's not much different from the steady parade of SIM swapping attacks that plagued the industry for years, only resulting in substantive action by the sector after reporters began documenting how common it was (and big name cryptocurrency investors had millions of dollars stolen). It was another example of how two factor authentication over text messages isn't genuinely secure.
Or the SS7 flaw, which the industry has known about for years but didn't take seriously until journalists began documenting how the flaw lets all manner of malicious private and government actors spy on wireless users without them knowing. US consumers pay some of the highest prices in the developed world for mobile data. At that price point, it doesn't matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, hack, privacy, sms, two factor authentication
Reader Comments
Subscribe: RSS
View by: Time | Thread
What I don't get is why Aerialink ever had the ability to redirect SMS/MMS traffic through their gateway in the first place? There's no way for consumers to request that sort of redirect, so it couldn't have been at the number owner's request. The carriers are already the SMS/MMS gateway for their own networks, so they wouldn't need to request such a redirect. The only time I can see them needing that is if they were subcontracting operation of their own gateway out, and it doesn't sound like that was the case here. So why would there even need to be the ability for a third party to request control of SMS/MMS routing? It sounds to me like this is something that should never have even been implemented.
[ link to this | view in chronology ]
incompetence
it doesn't matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
time to start handing out fines when a security flaw is discovered and nothing is done about it! it shouldn't take journalist to do there job!
[ link to this | view in chronology ]
"Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence. "
The cost of ignoring it - $0
The fines for ignoring it - $0
The penalties of consumers leaving - $0 (something something captive market)
The cost of fixing it - $1.35
Shareholder value must be increased by $0.75 (the rest was a CEO bonus for getting them an extra $0.75)
If the system is still working, why spend anything more than we have to on it?
Bailing wire & bubblegum fixes are enough to keep it going until they aren't.... then we can just get our political appointees to funnel us money to underwrite fixing the shit we've ignored for decades and don't want to pay for.
[ link to this | view in chronology ]
Re:
It appears that the only thing valuable to the corporations is their own brand image. Thank goodness for a little investigative journalism embarrassment.
[ link to this | view in chronology ]
Re: Re:
Nah even the most brain addled understood the idea that for $16 your bank account could be drained.
Now its all "fixed" so we can stop wondering if there is anything else waiting to screw us.
[ link to this | view in chronology ]
FTFY. Waiting - for anything - is a losing strategy.
[ link to this | view in chronology ]
All of your base are belong to us
[ link to this | view in chronology ]