U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts

[MacRumors]

Major carriers in the U.S. like Verizon, T-Mobile, and AT&T have made a change to how SMS messages are routed to put a stop to a security vulnerability that allowed hackers to reroute texts, reports Motherboard.

Carriers introduced the change after a Motherboard investigation last week revealed how easy it is for hackers to reroute text messages and use the stolen information to break into social media accounts. The site paid a hacker $16 to reroute texts using the tools of a company called Sakari, which helps businesses with mass marketing.

Sakari offered a text rerouting tool from a company called Bandwidth, which was supplied by another company called NetNumber, resulting in a confusing network of companies contributing to a vulnerability that left SMS texts open to hackers (Motherboard has more information on the process in its original article). The hacker hired by Motherboard was able to access Sakari's tools without any authentication or consent from the rerouting target, successfully getting texts from Motherboard's test phone.

Sakari is meant to allow businesses to import their own phone number for sending mass texts, which means a business is able to add a phone number to send and receive texts through the Sakari platform. Hackers could abuse this tool by importing a phone number of a victim to get access to the person's text messages.

Aerialink, a communications company that helps route text messages, said today said that wireless carriers are no longer supporting SMS or MMS text enabling on wireless numbers, something that "affects all SMS providers in the mobile ecosystem." This will prevent the hack demonstrated by Motherboard last week from working.

It is not clear if this text rerouting method was widely used by hackers, but it was easier to pull off than other smartphone hacking methods like SIM swapping. A Security Research Labs researcher said that he had not seen it before, while another researcher said it was "absolutely" in use.

Article Link: U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts

 

[nutmac]

I wish I can disable SMS 2FA across the board. Many financial institutions require it.

 

[JosephAW]

Now they need to stop robo calls from false local numbers.

 

[DocklandNightShift]

I try not to use SMS. It’s either iMessage or Signal for me. more people need to realize how utterly open and non private normal texting is

 

[TheYayAreaLiving 🎗️]

Stop the ROBO/TELE-Markeing calls please.

 

[Rigby]

I wish I can disable SMS 2FA across the board. Many financial institutions require it.

Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.

 

[Apple_Robert]

Glad to see this fixed.

 

[jav6454]

Fix the darn robo-calls. I still keep getting like 2-3 a day.

 

[HyperX13]

Green friend!

 

[ArtOfWarfare]

Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.

Are you sure that that didn't have the same vulnerabilities as the ones this article is about?

 

[zorinlynx]

This is the kind of thing where you're reading the article and asking yourself:

- Why was this possible in the first place??
- If the carriers were able to prevent this from happening, why weren't they already doing so????!!?!11

I swear, our security infrastructure is so fragile. It's only a matter of time before something really, really bad happens.

 

[LeadingHeat]

Stop the ROBO/TELE-Markeing calls please.

Get on T-Mobile

 

[Rigby]

Are you sure that that didn't have the same vulnerabilities as the ones this article is about?

No, not entirely. There may also be more weaknesses lurking in the telephony networks (which often rely on trust rather than strong authentication). I don't give out the Google Voice number to anyone else as a precaution. But I would much prefer if the banks allowed TOTP-based 2FA.

 

[[AUT] Thomas]

SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...

 

[vicviper789]

I really wish SM 2FA would go away. Google, Apple, my bank, and my school plus others require it now. If I were to lose my phone number somehow, I would be in a terrible situation

 

[macsareveryinteresting]

😱 I thought Apple had their devices secure. I’ve been told a complete lie.

 

[gnasher729]

SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...

CallerID needs to be replaced with something much less sophisticated.

It needs to report either "number withheld" or the phone number. And when it reports a phone number, it must be a genuine phone number that can be traced back to a person or company, or not. For example, I pay O2 every month to use my phone on their network, so unless I withhold my number, it should be reported because it can be traced back to me.

 

[gnasher729]

😱 I thought Apple had their devices secure. I’ve been told a complete lie.

I suppose if you send $10,000 to a bitcoin scammer who sent a text message to your iPhone, you will also complain about Apple?

 

[xpxp2002]

I really wish SM 2FA would go away. Google, Apple, my bank, and my school plus others require it now. If I were to lose my phone number somehow, I would be in a terrible situation

Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.

 

[hot-gril]

It's weird to characterize Sakari and the other companies as part of the vulnerability. The carriers shouldn't allow anyone to reroute texts to begin with. This is just like how carriers sell live location data to third parties, but somehow the news is about those third parties.

 

[hot-gril]

Fix the darn robo-calls. I still keep getting like 2-3 a day.

They try to be useful with "scam likely" ID but still ringing anyway in case I'm feeling lucky. And how am I getting SMS messages from email addresses?? Why would I ever want that?

Btw, I just got a slew of 5 spam Facetime calls for the first time. Two were group calls.

 

[hot-gril]

Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.

Theirs is the best system by far. No matter how it's done, 2FA requires you to have a cred on you. If it's SMS, that cred is your SIM card. With Apple 2FA, it's all your devices, and it's easy to set up. New phone, just accept the 2FA on your old one or your Mac.

Google Authenticator (the OTP app) is awful. Perfect example of nerds designing things with only themselves in mind. It's unclear how you transfer the codes to a new device, and it's super easy to just perma lock yourself out of everything. I actually had to experiment with migrating phones because it's undocumented, or at least was.

 

[DakotaGuy]

SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...

They already have something much better called RCS and the newer revisions also use encryption. Google has been trying to push it with their Messages app, but the carriers are so slow to adopt it at their level.

 

[DocklandNightShift]

😱 I thought Apple had their devices secure. I’ve been told a complete lie.

TIL that AT&T, Verizon networks are iPhones.

 

[zorinlynx]

Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.

You can still use SMS if you want to, though, which renders it vulnerable to attacks like these.