Did you know that, on average, 6 billion SMS messages are sent every day in the U.S. alone? That’s 180 billion each month and 2.27 trillion each year. Globally, 4.2 billion people are texting worldwide. No doubt you’re one of ‘em—which means you fire off approximately 67 texts a day. That’s a lot of “LOL”s.
When you send all those texts, you probably assume that you and your recipients are the only ones privy to the information contained within. That’s where you’d be wrong.
The truth is that text messages aren’t secure, and that insecurity opens you, your friends, family, and business up to risk. And it isn’t even your fault; the default text messaging services many of us use are old and vulnerable to a number of different attack scenarios. While carriers are on a path to update it, it might be too little, too late.
But before you can understand why you should spend more energy on practicing safe texting, it may be helpful to understand how the whole system works in the first place. Here’s the breakdown.
If you’re sending a text message, you’re generally sending an “SMS,” which stands for Short Message Service. It’s the oldest and one of the most widely used text messaging services today. It includes MMS (Multimedia Messaging Service) which enables SMS users to send multimedia content like images, audio, and visual files. Both SMS and MMS are sent using cellular networks and thus require a wireless plan and a wireless carrier.
If you send a traditional “text” message on your phone, it’s considered an SMS. When you send that gif, you’ve just sent a MMS.
When you send a text message, it first goes to a nearby cellular tower over a pathway called the control channel, and then into an SMS center (SMSC). The SMSC resends that message to the tower closest to the recipient, and then it goes to their phone. SMS also sends data associated with the message, including the length of the message, format, time stamp, and destination.
Of the 109 text messages I sent yesterday, for example, 15 of them were SMS messages sent to people who have phones on other carriers, 70 were sent through iMessage, and the rest were sent via OTT applications.
WhatsApp, iMessage, Facebook Messenger, WeChat, and other messaging apps are grouped together as OTT applications and are also considered texting services. OTT stands for “Over the Top”; as a group, these apps are different than SMS services because they use internet protocols (IP) rather than cellular networks to transmit messages. This means these messages are sent through an internet connection (aka WiFi) or via mobile internet connection.
OTT apps work in a way that’s different than SMS because they send encrypted messages that only you and the person receiving your message can access. That means the messaging service doesn’t know what you’re sending, and neither does anyone else who might intercept that web traffic.
For example, WeChat uses extensible Messaging and Presence Protocol (XMPP) to exchange data between the users. This protocol is decentralized, and as a result, considered secure and flexible. The company also uses SSL/TSL encryption. All of this is intended to ensure that other people aren’t seeing your messages.
When considering messaging services, people often have to choose between sending via SMS or sending via an OTT service. If you’ve traveled extensively outside the U.S., you’ve probably noticed that people in many other countries prefer WhatsApp to text messaging.
SMS is the most ubiquitous, but least secure messaging medium. OTT apps require you to be using the same platform as the person you’re messaging, which can be annoying. Maybe your friends don’t want to download another app just for texting, but continuing to use SMS could put you at risk because it doesn’t have end-to-end encryption.
As OTT apps cannibalize the SMS market, carriers have become incentivized to improve SMS services in the form of Rich Communication Services (RCS). RCS theoretically combines the best features of OTT apps into one protocol that’s universal across carriers and devices. This new protocol will replace SMS and has been a work in progress for more than a decade.
Approved by the GSMA in 2008, RCS was fully adopted in 2016. Since then, the RCS Universal Profile has been pushed out with strong support and back-end services from Google (which acquired Jibe) with the goal of providing consistent interoperable messaging services across all devices and networks. This not only helps create a global standard, but also improves Android capacity, which is notoriously more vulnerable to attacks. As Dan Wood of Bishop Fox noted in an interview, “A lot of SMS phishing is done against Android platforms.”
RCS has the ability to:
However, while RCS doesn’t have end-to-end encryption, it does have the standard security protocols of Transport Layer Security and IPsec.
RCS doesn’t use cellular connection, but instead relies on a data connection and is both hardware- and platform-agnostic. Sprint, US Cellular, and Google Fi have implemented RCS fully across their networks and all devices. Other networks are implementing it against specific devices with broader plans to roll out further through 2020. And, moving forward, all devices should support this feature out of the box.
In short, RCS is an attempt by carriers to ensure the continued use of out-of- the-box messaging services and the connected data plans that accompany such usage. However, it doesn’t enhance the overall security of information shared.
With the recent ghost texting controversy, people have started to question just how secure text messages are. The simple answer: not very.
Remember: Text messages are sent in a multi-step process. While your message might be encrypted from your phone to the first cell tower, it’s not encrypted after that. And your SMSC may keep the message even if both the sender and recipient delete it. Whenever a message is encrypted, it can be read by the mobile service, hackers, or governments.
“Because of the lack of encryption, hackers can search for weak points anywhere along the virtual path between the sender and receiver, which includes a ton of different network devices and computing systems at many different providers—only one of which needs to be exploited via technical vulnerability, misconfiguration, social engineering or insider attack,” says Christopher Howell, CTO of Wickr.
“Because the messages are stored on these systems longer than necessary,” Howell continues, “it increases the window of vulnerability through which the hacker can attack. Rather than having to defend a system for a few seconds to prevent a hacker from stealing a message, it needs to be protected for days, weeks, months. These odds favor the hacker.”
It’s unlikely that you’re using your cell phone to text about military launch codes, top secret government business, or anything else that’s of much use to the average hacker. But what about a text exchange about a friend’s decision to leave their spouse, your boss’s cancer scare, or your little sister’s decision to switch jobs? Would you want that information to get disseminated somewhere else? What about information about your children, your pets, or a naked selfie that could help someone track where you are, guess your passwords, or find the tattoo on your left thigh that’s also your bank account password?
It’s not always about protecting big secrets—it’s about ensuring personal privacy for everyone involved.
There are a number of ways that malicious actors (governments, terrorists, etc.) can hack into SMS systems and use them for their own benefit.
Governments are hacking using SMS. Chinese hackers recently did this when they developed malware to steal SMS messages. The malware used a keyword list of terms that were of geopolitical interest for Chinese intelligence collection and then connected those terms with phone numbers that they then tracked. The group responsible for this (APT41) also interacted with call detail records and tracked high-ranking individuals who were of interest to Chinese intelligence.
“There are ‘0day’ bugs on the market that can remote access your phone without you having to click on any sort of link or do anything at all,” says Ben Lamm, the CEO of Hypergiant. “In fact, this market is growing as are all threats to vulnerable systems. The secret here is that we need to all be more focused on security, on protecting ourselves from vulnerability and on understanding that one insecure individual can compromise the whole group.”
Take, for instance, two-factor authentication, which we generally think of as safe. If that second factor authentication is through an SMS service, it could be intercepted, meaning the system you thought was secure might now be compromised. This is important if, say, you use two-factor authentication to protect your bank account, corporate email, or dating profile.
Regular people are hacking and being hacked using SMS, too. “Text message hacks are happening everywhere, from middle schoolers hacking their enemies to steal their pictures to nation state level attacks,” says Georgia Weidman, the founder of Shevirah Inc. and a New America Cybersecurity Policy Fellow.
Given the propensity for and variety of attacks, it makes sense to consider alternative services that offer end-to-end encryption. Popular secure apps include:
“An attacker might send a text message enticing a user to log into their bank or download a malicious application. Many users are getting security awareness training to be wary of phishing via email, but that education is often lacking around mobile based attack vectors such as text message or WhatsApp,” Weidman says. “Additionally, the text messaging programs on our phones are just software like any other and thus prone to security vulnerabilities. There have been instances in the past where an attacker could send a malformed text message to a device and gain control of the device.”
The truth is we all need to use an extra dose of common sense.
“Use the same caution when responding to SMS text messages as you would a suspicious email,” says Kristin Kozinski of Don’t Click on That. “When evaluating a message consider the source of the message. If you don’t recognize the number, confirm the context of the message elsewhere. For example, if your bank texts you, call the customer support number to verify the message you received. Be cautious of any link in the text message. This is a prime outlet for distributing malicious URLs. Finally, if the text sounds too good to be true, it probably is.”