Mobile messaging has been in and out of the headlines all year. Whether it’s the pressure applied on encrypted platforms to open up to law enforcement or targeted hacking attacks on users, messaging security has never been more front of mind. There is a connection between all of the various news stories: the emergence of so-called “over-the-top” platforms as an alternative to the SMS technology built into mobile networks. Newer platforms, like WhatsApp and iMessage, are end-to-end encrypted, making them more secure. They also carry a rich feature set not available with SMS. But SMS messaging is about to see its biggest ever shake-up, with the launch of an updated, richer platform. But a new report has now warned that SMS security vulnerabilities are not being addressed, putting billions of users at risk.
Meet RCS—the biggest messaging shake-up since WhatsApp
If you haven’t yet heard of RCS messaging, then you soon will. Rich Communication Services is the mobile networks answer to OTT platforms stealing traffic away from SMS text messaging. And for Android specifically, it’s the answer to the stickiness of Apple’s hybrid iMessage platform. RCS could see the fastest adoption by a messaging technology ever, with billions of devices enabled. The only challenge is that it does not have the core end-to-end encryption available with the better point-to-point OTT platforms, it remains rooted in the indirect “man-in-the-middle” architecture of GSM. And there’s worse—a new cybersecurity report warns that gaping security holes will leave “RCS technology exposing most mobile users to hacking.”
Get started on your cybersecurity degree at American Military University.
Sitting behind the plans for RCS is the mobile industry’s trade association, the GSMA. And from a technical standpoint, the driving force is Google. It promises to shift SMS away from its clunky format to a new world of video, e-ticketing and mobile services. Because it’s a replacement for SMS, it is being deployed by the networks rather than as an app that sits across those networks with no direct interface. And because Apple users tend to opt for iMessage, it will impact Android more than iOS.
So, what’s the risk?
According to the new report from the cybersecurity researchers at Germany’s SRLabs, “the provisioning process for activating RCS functionality on a phone is badly protected in many networks, allowing hackers to fully take over user accounts.” And for Android specifically, the most popular RCS client Android Messages “does not implement sufficient domain and certificate validation, enabling hackers to intercept and manipulate communication through a DNS spoofing attack.”
One of the risks raised by SRLabs is caller impersonation, essentially “caller ID spoofing,” a longtime challenge for SMS which has been resolved in the better OTT platforms. Another risk is location tracking and data interception, including lifting security codes “in attempt to authorize fraudulent bank transactions or take over email accounts.” Where codes are to validate the RCS user themselves, they can be brute forced. There is even the risk that malicious apps on a device can lift a RCS configuration file, introducing a new attack vector that can be exploited.
Put simply, there is no point in deploying a new text messaging standard if it inherits core vulnerabilities from the system it’s replacing. Earlier this month, I warned of the pitiful security built into SMS, and how the ease of attack should push us all into adopting an end-to-end encrypted messaging platform as standard. According to SRLabs, “current RCS deployments [are] as vulnerable to hacking as legacy mobile technologies—surprising for a technology build on internet technology and under active design.” You can see the point. The lessons are there to be learned.
SMS technology has always been open to man-in-the-middle attacks, there’s no direct link between the sender and the receiver. That risk needs fixing if an SMS alternative is to deliver a secure user experience. But, as SRLabs warns, “the RCS client, including the official Android messaging app, does not properly validate that the server identity matches the one provided by the network during the provisioning phase.”
It’s a tricky problem to solve without reverting to point-to-point, which is not the architecture the networks want. “This fact can be abused through DNS spoofing, enabling a hacker to be in the middle of the encrypted connection between mobile and RCS network core.” The alternative disintermediates the networks from their users and the services they want to buy. And as messaging converges with commerce and payments, platforms become goldmines and networks don’t want to miss out.
Is there a solution?
In short, yes. SRLabs acknowledges that the issues can be mitigated by setting up RCS deployments with risk mitigation in mind, avoiding “common mistakes” that would otherwise be made. “Mobile networks are variably affected by these vulnerabilities depending on gaps in their individual implementations and configuration.”
A timely warning
There are many factors at play here. At heart, is a continuing shift to centrally managed platforms that can (theoretically) secure communications but which then concentrate advertising and commerce opportunities in a small number of hands. RCS is an answer to that, but it needs to be deployed with security in mind. RCS instantly becomes a target for attack. If there are inherent weaknesses, they will be exploited.
And this is the crux—the fundamental security disadvantages with RCS over WhatsApp, Signal, Wickr, Telegram and iMessage. The point-to-centre architecture is a risk. But that goes with the territory where network messaging is concerned. The issues raised by SRLabs are more straightforward. And with RCS already being deployed in around 70 countries, it needs fixing quickly. The good news is that the major networks seem to be open to reviewing the research and adapting deployments.
SRLabs will present more of its findings at Black Hat Europe in December.