The Future of Texting Is Far Too Easy to Hack
Ask practically any phone carrier, and they'll tell you that the future of smartphone features from texting to video calls is a protocol called Rich Communication Services. Think of RCS as the successor to SMS, an answer to iMessage that can also handle phone and video calls. Last month, Google announced that it would begin rolling RCS out to its Messages app in all US Android phones. It's easy to imagine a near-future where RCS is the default for a billion people or more. But when security researchers looked under the hood, they found the way carriers and Google have implemented the protocol creates a slew of worrying vulnerabilities.
At the Black Hat security conference in London today, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones. Those implementation flaws, the researchers say, could allow texts and calls to be intercepted, spoofed, or altered at will, in some cases by a hacker merely sitting on the same Wi-Fi network and using relatively simple tricks. SRLabs previously described those flaws at the DeepSec security conference in Vienna last week, but at Black Hat also showed how those RCS hijacking attacks would work in videos like the one below:[*]
SRLabs founder Karsten Nohl, a researcher with a long track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.
"You're going to be more vulnerable to hackers because your network decided to activate RCS," says Nohl. "RCS gives us the capability to read your text messages and listen to your calls. That's a capability that we had with SS7, but SS7 is a protocol from the '80s. Now some of these issues are being reintroduced in a modern protocol, and with support from Google."
[*] YouTube Link.
(Score: 4, Informative) by NickM on Thursday December 05 2019, @10:27PM (6 children)
I a master of typographic, grammatical and miscellaneous errors !
(Score: 1) by fustakrakich on Thursday December 05 2019, @10:35PM (5 children)
Run away? Is there anywhere to go? Is there any messaging service that has only plain ASCII?
La politica e i criminali sono la stessa cosa..
(Score: 3, Touché) by NickM on Thursday December 05 2019, @11:01PM (2 children)
I a master of typographic, grammatical and miscellaneous errors !
(Score: 1) by fustakrakich on Thursday December 05 2019, @11:58PM (1 child)
The new Luddite® phones will be great marketing. And the price is right..
La politica e i criminali sono la stessa cosa..
(Score: 2) by arslan on Friday December 06 2019, @03:15AM
There's already a Luddite information carrier spec [ietf.org].
The "phone" charges using seeds instead of electricity, and it is truly secure. Trojan-ing it will be messy and will likely destroy the "phone". The downside though is you can easily man-in-the-middle it with better quality seeds. Oh yeah, there's likely a network distance limit too.
(Score: 0) by Anonymous Coward on Thursday December 05 2019, @11:48PM (1 child)
IRC works over data. I'd rather get a cellular modem dongle for a laptop (or my Pi) than a modern phone.
I have a luddite phone with physical buttons for daily use, and I'm very happy with it. Android just blows.
(Score: 2) by NickM on Friday December 06 2019, @12:27AM
I a master of typographic, grammatical and miscellaneous errors !
(Score: 3, Informative) by SomeGuy on Thursday December 05 2019, @11:48PM
Today I overheard some common idiots talking about what they like best about some of the new Apple iPherns. The number one thing they liked best was how they could now send some kind of customized smiley faces when "texting".
This world is doomed.
(Score: 0) by Anonymous Coward on Friday December 06 2019, @08:17AM (2 children)
For that matter, I think we could probably go ahead and add voice.
These things can all be taken care of through the internet in efficient, simple, and secure ways.
I genuinely don't understand why things like SMS, in the modern age, even exist. All it seems to be "good" for is to enable companies to have a convenient unique identifier for users for tracking/profiling. In particular the trackier the company, the more likely they are to require an SMS for signup or as the primary method for a strongly encouraged two-factor authentication method.
(Score: 0) by Anonymous Coward on Friday December 06 2019, @09:47AM
SMS exists because it's basically zero-cost. It's a trick, which uses communication between tower and phone (that already needs to be performed to direct calls) as a data channel. That is why SMS is text only with a limited, relatively small size.
RCS exists because people use SMS too much, for everything. And it will be a disaster.
(Score: 2) by PiMuNu on Friday December 06 2019, @02:59PM
> These things can all be taken care of through the internet in efficient, simple, and secure ways.
I understand that your question was a technical one, but the answer is social.
Quite often, I want or need to communicate with someone but I don't want to engage in a long conversation. Maybe I don't like them, maybe I am busy with something else. You may experience this in physical interaction by a smile, someone holding a door open, saying "hi" as they pass in the corridor. So a short communication medium which suppresses conversation is absolutely useful. For this to work, the communication technique needs to be short; needs to have an easy UI; and needs to be ubiquitous. While technical solutions exist, they do not fulfil these criteria.
* Whatsapp is closest, but is insufficiently ubiquitous, and requires you to share all contacts with some guys in California and install new software.
* FriendFace/Tweetville also exist, but they are not ubiquitous and require you to sell your soul to s8n.
* IRC? Not ubiquitous.