Become a MacRumors Supporter for $25/year with no ads, private forums, and more!
  • Did you order new AirTags? We've opened a dedicated AirTags forum.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,421
14,129


Major carriers in the U.S. like Verizon, T-Mobile, and AT&T have made a change to how SMS messages are routed to put a stop to a security vulnerability that allowed hackers to reroute texts, reports Motherboard.

sms-message-iphone.jpg

Carriers introduced the change after a Motherboard investigation last week revealed how easy it is for hackers to reroute text messages and use the stolen information to break into social media accounts. The site paid a hacker $16 to reroute texts using the tools of a company called Sakari, which helps businesses with mass marketing.

Sakari offered a text rerouting tool from a company called Bandwidth, which was supplied by another company called NetNumber, resulting in a confusing network of companies contributing to a vulnerability that left SMS texts open to hackers (Motherboard has more information on the process in its original article). The hacker hired by Motherboard was able to access Sakari's tools without any authentication or consent from the rerouting target, successfully getting texts from Motherboard's test phone.

Sakari is meant to allow businesses to import their own phone number for sending mass texts, which means a business is able to add a phone number to send and receive texts through the Sakari platform. Hackers could abuse this tool by importing a phone number of a victim to get access to the person's text messages.

Aerialink, a communications company that helps route text messages, said today said that wireless carriers are no longer supporting SMS or MMS text enabling on wireless numbers, something that "affects all SMS providers in the mobile ecosystem." This will prevent the hack demonstrated by Motherboard last week from working.

It is not clear if this text rerouting method was widely used by hackers, but it was easier to pull off than other smartphone hacking methods like SIM swapping. A Security Research Labs researcher said that he had not seen it before, while another researcher said it was "absolutely" in use.

Article Link: U.S. Carriers Fix SMS Routing Vulnerability That Let Hackers Hijack Texts
 

Rigby

macrumors 603
Aug 5, 2008
5,570
9,259
San Jose, CA
I wish I can disable SMS 2FA across the board. Many financial institutions require it.
Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.
 
Comment

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,127
5,094
Yep. It's a complete joke that you can't secure the most important accounts properly. I'm now using a Google Voice number for 2FA in those cases (no SIM swapping or number porting possible). But they should really offer more secure methods.
Are you sure that that didn't have the same vulnerabilities as the ones this article is about?
 
  • Like
Reactions: Lazy
Comment

zorinlynx

macrumors 604
May 31, 2007
6,512
10,708
Florida, USA
This is the kind of thing where you're reading the article and asking yourself:

- Why was this possible in the first place??
- If the carriers were able to prevent this from happening, why weren't they already doing so????!!?!11

I swear, our security infrastructure is so fragile. It's only a matter of time before something really, really bad happens.
 
Comment

Rigby

macrumors 603
Aug 5, 2008
5,570
9,259
San Jose, CA
Are you sure that that didn't have the same vulnerabilities as the ones this article is about?
No, not entirely. There may also be more weaknesses lurking in the telephony networks (which often rely on trust rather than strong authentication). I don't give out the Google Voice number to anyone else as a precaution. But I would much prefer if the banks allowed TOTP-based 2FA.
 
Comment

[AUT] Thomas

macrumors 6502a
Mar 13, 2016
676
821
Graz [Austria]
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...
 
Comment

gnasher729

macrumors P6
Nov 25, 2005
17,962
5,505
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...

CallerID needs to be replaced with something much less sophisticated.

It needs to report either "number withheld" or the phone number. And when it reports a phone number, it must be a genuine phone number that can be traced back to a person or company, or not. For example, I pay O2 every month to use my phone on their network, so unless I withhold my number, it should be reported because it can be traced back to me.
 
Comment

xpxp2002

macrumors 6502
May 3, 2016
451
753
I really wish SM 2FA would go away. Google, Apple, my bank, and my school plus others require it now. If I were to lose my phone number somehow, I would be in a terrible situation
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
 
Comment

hot-gril

macrumors 65816
Jul 11, 2020
1,483
1,372
Northern California, USA
It's weird to characterize Sakari and the other companies as part of the vulnerability. The carriers shouldn't allow anyone to reroute texts to begin with. This is just like how carriers sell live location data to third parties, but somehow the news is about those third parties.
 
Last edited:
  • Like
Reactions: peanuts_of_pathos
Comment

hot-gril

macrumors 65816
Jul 11, 2020
1,483
1,372
Northern California, USA
Fix the darn robo-calls. I still keep getting like 2-3 a day.
They try to be useful with "scam likely" ID but still ringing anyway in case I'm feeling lucky. And how am I getting SMS messages from email addresses?? Why would I ever want that?

Btw, I just got a slew of 5 spam Facetime calls for the first time. Two were group calls.
 
Last edited:
  • Like
Reactions: peanuts_of_pathos
Comment

hot-gril

macrumors 65816
Jul 11, 2020
1,483
1,372
Northern California, USA
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
Theirs is the best system by far. No matter how it's done, 2FA requires you to have a cred on you. If it's SMS, that cred is your SIM card. With Apple 2FA, it's all your devices, and it's easy to set up. New phone, just accept the 2FA on your old one or your Mac.

Google Authenticator (the OTP app) is awful. Perfect example of nerds designing things with only themselves in mind. It's unclear how you transfer the codes to a new device, and it's super easy to just perma lock yourself out of everything. I actually had to experiment with migrating phones because it's undocumented, or at least was.
 
Last edited:
Comment

DakotaGuy

macrumors 601
Jan 14, 2002
4,103
3,475
South Dakota, USA
SMS needs to be replaced with something more sophisticated.
So does CallerID.

Carriers need to tackle these issues rather sooner than later or SMS wil become the fax of the next decade... Something that no one wants but since some instituations (that can't even spell innovation [I'm talking about banks] require it) it lives on...
They already have something much better called RCS and the newer revisions also use encryption. Google has been trying to push it with their Messages app, but the carriers are so slow to adopt it at their level.
 
Comment

zorinlynx

macrumors 604
May 31, 2007
6,512
10,708
Florida, USA
Apple no longer requires SMS for 2FA as long as you upgraded from “2-step authentication,” which was deprecated many years ago.

Apple pushes a notification to your devices using APNS, which allows you to receive a six-digit verification code securely.
You can still use SMS if you want to, though, which renders it vulnerable to attacks like these.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.