Prefer audio? Subscribe to the podcast!
Joseph Cox, a security and privacy reporter with Motherboard, released a story that has the cybersecurity Twittersphere stressing how insecure text messages inherently are. Cox paid a hacker $16 to re-route his text messages. "I didn't expect it to be that quick," the story opens.
"...the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me. Looking down at my phone, there was no sign it had been hacked."
The attacker leveraged a feature in a platform known as Sakari, "a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns," their site reads. Apparently also a tool hackers can use to impersonate anyone they have the phone number of. The hacker, going by the name of Lucky225, said he filled out Sakari's required letter of authorization with "fake info" after paying the required $16 and was intercepting Cox's private messages within minutes.
Sakari told Motherboard that all users are now required to verify the phone number which they are impersonating by providing a code that will only be delivered by an automated voice call to that same number. But the slip up forces the question, why weren't such security measures there in the first place? Lucky225 is Director of Information at Okey Systems, a Denver-based company whose CEO, Teli Tuketu, told Motherboard that after one provider implemented a similar security measures "it took us two minutes to find another" that didn't take such precautions.
Okey Systems provides a free tool that will monitor for this type of attack against any phone number. If you're reading this, you should absolutely go and sign up right now. As Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, pointed out in a tweet yesterday the attack is "trivially simple" and everyone should protect themselves against it.
Galperin also told Motherboard that the attack "underscores the importance of moving people off of SMS 2FA." 2FA is shorthand for "2 factor authentication" which you may have some experience with. That's when an online platform requires a code after successfully entering a username and password to complete the login process. Most services provide the option to recieve the codes via text message, but as we saw, that gave Lucky225 the ability to impersonate Cox on Bumble and Postmates.
Galperin gives other, better options in the aforementioned tweet:
Both Authy and Google Authenticator are mobile applications which generate the codes inside the app, a much more secure alternative to receiving them over text messages. *Full disclosure: I used to work for Twilio, which owns Authy, and still hold shares in the company.
In a statement to Motherboard Senator Ron Wyden highlighted the need for regulation to protect consumers from this sort of thing. "The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," he said.
If you're at all interested in the finer, much more technical details of this attack, the Lucky225 wrote up a great explanation on Medium.
Text messaging's lack of security reaches beyond this specific attack. In July 2020, the Intercept released a piece detailing how deadly simple it is to impersonate a cellular tower, downgrade a phone's connection to 2G thus forcing it to either use weak or no encryption at all, and intercept text messages and voice calls without the user or their recipients ever knowing.
This is a common tactic of law enforcement, likely a strong reason why encrypted messaging apps such as WhatsApp and Signal are on the rise among activists. An article from the Wall Street Journal this week reports that Signal appears to have been blocked in mainland China. Clubhouse was also recently blocked in the country. Users reported that the verification text messages to sign up simply never made it to their phones. Authoritarian governments, such as China's, are obviously exploiting the insecurities inherent in text messaging and cellular protocols.
Even the country's most popular messaging service, WeChat, is subject to it. While WeChat employs encryption, it does so in such a way that messages are decrypted on their servers, thus giving them the ability to censor certain content. Wired reported this past August on the findings of Canada-based security research center Citizen Lab which show that WeChat supressed more than 2,000 terms related to the COVID-19 pandemic.
A thus, we learn to use encrypted messaging such as Signal and to just say no to text messages.