By: Travis Russell
But don’t celebrate too loudly. For all it has brought to our personal and professional lives, and despite its ubiquitous role in managing dialog between Internet of Things devices, SMS isn’t entirely safe.
Security researchers have known this for years, and the telecommunications industry is now waking up to this undeniable fact. Hackers have demonstrated they can use known vulnerabilities in the SS7 and Diameter signaling system that connects mobile phone networks to re-route two-factor authentication codes wherever they like. They can also divert calls, track callers and eavesdrop on any conversation. They can read and respond to SMS (text) messages sent between phones, passing themselves off as legitimate parties to steal confidential information and money.
Until recently, these vulnerabilities were considered more of a theoretical threat. But last year, 02 Telefonica execs felt the potential for destruction when hackers intercepted SMS messages to steal access codes and drain
an untold number of bank accounts across Germany.
The 02 Telefonica incident should serve as yet another wakeup call to the industry that it’s time to take action to head off similar disasters related to text messaging. The well-known SS7
vulnerabilities these hackers prey on still exist in many networks, waiting to be exploited again. It’s only a matter of time before that happens, which is why the National Institute of Standards
and Technology (NIST) last year stopped recommending the use of SMS messages in two-factor authentication.
The top wireless providers in the world have been taking aggressive measures to protect their consumers against these attacks. Here are three places other operators should start in order to get ahead of the problem:
Text messaging badly needs a security overhaul. Currently, we have clients on our phones that communicate with network servers using SS7, Diameter, or SIP, and those servers then deliver text messages on our behalf. But this system has too many holes built into it, making it too easy for hackers to spoof and too easy to compromise.
Operators, working through the 3GPP, defined Home Routing as the means for preventing SMS spoofing as well as hijacking. Yet many international networks have yet to support Home Routing (all North American operators use Home Routing).
Encryption offers another protection that the industry should be educating customers about. There are a number of encryption applications, such as Signal, Wickr, and Surespot, that provide consumers with secure voice and text messaging.