RCS, or Rich Communication Services, is the biggest shake-up to SMS messaging since iMessage and WhatApp. It has been coming for some time and now it’s live—at least for Android users in the U.S. Android’s messaging director Sanaz Ahari confirmed the news on Friday, and so users can now update their devices with the new functionality. But it’s not all good news. RCS arrives without one critical feature, and that could be a real issue for users.
Get started on your cybersecurity degree at American Military University.
RCS is being driven by Google as an answer to Apple’s iMessage and by mobile carriers who have lost SMS traffic to the “over-the-top” messaging platforms, chiefly WhatsApp. It promises the best of both worlds—the ubiquity of SMS with the richness of an internet-based messaging platform. RCS will deliver longer messages, read receipts, videos, e-ticketing, commerce and payments, and all with the cross-device flexibility of SMS. But that SMS flexibility, its embedding in the networks, has left RCS with a critical missing feature.
RCS might be snazzy, but is it secure?
One of the major benefits of iMessage and WhatsApp is security. Both platforms are end-to-end encrypted, meaning the messages are locked between the sender and the receiver. The network, known as “the man in the middle,” does not hold the keys and so cannot read or monitor message content. And that’s a major issue for RCS. It has become such a compelling feature of other messaging platforms that it will be seen as an opportunity missed, a disadvantage. It will also prevent many people shifting away from WhatsApp (or Signal, Wickr or Telegram).
This issue is serious enough that it prompted cybersecurity researchers at Germany’s SRLabs to warn that RCS leaves users exposed, that RCS deployments are “badly protected in many networks, allowing hackers to fully take over user accounts.” This lack of end-to-end security has become such a downside feature of SMS, that it has to be seen as a critical omission. Unfortunately, because RCS is rooted in the networks and doesn’t run “over the top,” such compromises are not surprising.
SMS risks not yet resolved
Back in November, I warned that the gaping security risks with SMS should now compel all users to shift to an encrypted platform. That followed a report from cybersecurity researchers at FireEye into state-sponsored Chinese hackers targeting the SMS servers within cellular networks to monitor for specific user communications and keywords. But the issues with SMS are much more blatant—faking sender numbers, intercepting messages, lack of endpoint verification. SRLabs has highlighted similar issues with RCS—caller ID spoofing, user location tracking and message interception, and even using malware to lift RCS configuration files from devices.
It’s a tricky problem to solve without reverting to point-to-point, which is not the architecture the networks want—any option that disintermediates networks from their users and the services they want to buy will be resisted. But there are still options for better technology housekeeping to ensure RCS is deployed as securely as possible. SRLabs claims this isn’t being done, that “mobile networks are variably affected by these vulnerabilities depending on gaps in their individual implementations.”
Proceed with caution
Google is making some security enhancements to better protect the network messaging architecture, including a “Verified SMS” update to at least securely identity the sender of a message, a major vulnerability until now. But that’s designed more to assure users of the legitimacy of messages sent by businesses which can originate from strange and certainly unrecognisable numbers. It doesn’t address the security holes with SMS—and likely now RCS—that could leave so many millions at risk.
And so as exciting as an Android alternative to iMessage might be, my advice remains the same. Stick to an end-to-end encrypted platform such as WhatsApp, Signal, Wickr, Telegram or iMessage. And in doing so put the onus onto Google and the networks to ensure that the deployment of RCS puts security front and centre, that the lessons of recent years around messaging security are learned. RCS is being deployed in around 70 countries—it has the potential to see the fastest take-up any new messaging technology ever. And so any problems need fixing quickly.