Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
67,547
37,903


Major carriers in the U.S. like Verizon, T-Mobile, and AT&T have made a change to how SMS messages are routed to put a stop to a security vulnerability that allowed hackers to reroute texts, reports Motherboard.

sms-message-iphone.jpg

Carriers introduced the change after a Motherboard investigation last week revealed how easy it is for hackers to reroute text messages and use the stolen information to break into social media accounts. The site paid a hacker $16 to reroute texts using the tools of a company called Sakari, which helps businesses with mass marketing.

Sakari offered a text rerouting tool from a company called Bandwidth, which was supplied by another company called NetNumber, resulting in a confusing network of companies contributing to a vulnerability that left SMS texts open to hackers (Motherboard has more information on the process in its original article). The hacker hired by Motherboard was able to access Sakari's tools without any authentication or consent from the rerouting target, successfully getting texts from Motherboard's test phone.

Sakari is meant to allow businesses to import their own phone number for sending mass texts, which means a business is able to add a phone number to send and receive texts through the Sakari platform. Hackers could abuse this tool by importing a phone number of a victim to get access to the person's text messages.

Aerialink, a communications company that helps route text messages, said today said that wireless carriers are no longer supporting SMS or MMS text enabling on wireless numbers, something that "affects all SMS providers in the mobile ecosystem." This will prevent the hack demonstrated by Motherboard last week from working.

It is not clear if this text rerouting method was widely used by hackers, but it was easier to pull off than other smartphone hacking methods like SIM swapping. A Security Research Labs researcher said that he had not seen it before, while another researcher said it was "absolutely" in use.

Article Link: U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts
 
I wish I can disable SMS 2FA across the board. Many financial institutions require it.
Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.
 
Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.
Are you sure that that didn't have the same vulnerabilities as the ones this article is about?
 
  • Like
Reactions: Lazy
This is the kind of thing where you're reading the article and asking yourself:

- Why was this possible in the first place??
- If the carriers were able to prevent this from happening, why weren't they already doing so????!!?!11

I swear, our security infrastructure is so fragile. It's only a matter of time before something really, really bad happens.
 
Are you sure that that didn't have the same vulnerabilities as the ones this article is about?
No, not entirely. There may also be more weaknesses lurking in the telephony networks (which often rely on trust rather than strong authentication). I don't give out the Google Voice number to anyone else as a precaution. But I would much prefer if the banks allowed TOTP-based 2FA.
 
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...
 
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...

CallerID needs to be replaced with something much less sophisticated.

It needs to report either "number withheld" or the phone number. And when it reports a phone number, it must be a genuine phone number that can be traced back to a person or company, or not. For example, I pay O2 every month to use my phone on their network, so unless I withhold my number, it should be reported because it can be traced back to me.
 
I really wish SM 2FA would go away. Google, Apple, my bank, and my school plus others require it now. If I were to lose my phone number somehow, I would be in a terrible situation
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
 
It's weird to characterize Sakari and the other companies as part of the vulnerability. The carriers shouldn't allow anyone to reroute texts to begin with. This is just like how carriers sell live location data to third parties, but somehow the news is about those third parties.
 
Last edited:
  • Like
Reactions: peanuts_of_pathos
Fix the darn robo-calls. I still keep getting like 2-3 a day.
They try to be useful with "scam likely" ID but still ringing anyway in case I'm feeling lucky. And how am I getting SMS messages from email addresses?? Why would I ever want that?

Btw, I just got a slew of 5 spam Facetime calls for the first time. Two were group calls.
 
Last edited:
  • Like
Reactions: peanuts_of_pathos
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
Theirs is the best system by far. No matter how it's done, 2FA requires you to have a cred on you. If it's SMS, that cred is your SIM card. With Apple 2FA, it's all your devices, and it's easy to set up. New phone, just accept the 2FA on your old one or your Mac.

Google Authenticator (the OTP app) is awful. Perfect example of nerds designing things with only themselves in mind. It's unclear how you transfer the codes to a new device, and it's super easy to just perma lock yourself out of everything. I actually had to experiment with migrating phones because it's undocumented, or at least was.
 
Last edited:
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...
They already have something much better called RCS and the newer revisions also use encryption. Google has been trying to push it with their Messages app, but the carriers are so slow to adopt it at their level.
 
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
You can still use SMS if you want to, though, which renders it vulnerable to attacks like these.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.