- Verizon, T-Mobile, and AT&T have fixed the security gap that allowed $16 SMS hijacking.
- The telcos haven’t made any announcements about it, and neither has the FCC, their ruling body.
- SMS messages are overly unsafe when it comes to 2FA, so you are advised to avoid using them.
Ten days ago, Vice conducted an investigation where they proved that all they needed to do in order to hijack the SMS of any subscriber was paying a hacker $16. The pseudonymous person acted swiftly, stealthily, and effortlessly, providing the SMS messages of the Vice journalist and not even having to perform any SIM swaps or anything extremely sophisticated like exploiting SS7 network flaws.
He/she just signed up on an otherwise legitimate mass messaging marketing service, and by exploiting a security gap, managed to reroute the said SMS messages.
Now, the same publication is reporting that telcos are eventually plugging that hole. The announcement that confirms the fix came from Aerialink and mentioned the following:
The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers. The change is industry-wide and affects all SMS providers in the mobile ecosystem. Be aware that Verizon, T-Mobile, and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile, or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway.
The telcos themselves, or the FCC, which is their governing body, haven’t provided any comments to Motherboard, so this was a somewhat “silent” fix with nobody feeling the need to say anything about it. It is extremely unlikely, though, that the FCC will just let this pass, and we expect the authority to launch an investigation and impose fines on the telcos.
From the side of the software that was abused, the co-founder of the vendor has stated the following:
We welcome this news and hope the rest of the industry follows suit. It has always been our policy at Sakari to only support the text-enablement of VoIP and landline phone numbers, and as soon as the industry issue was raised we placed a complete block on any mobile numbers. As part of our internal audit, other than Lucky225’s account (the hacker’s), we found no other mobile numbers enabled.
Having SMS messages rerouted to anyone who can subscribe to a third-party’s platform can obviously have dire consequences for the security of any accounts that happen to use 2FA linked to these numbers. This can potentially open Pandora’s box in terms of people’s privacy. The hacker who has performed the demonstration for Vice proved that taking over several of the target's accounts this way would be fairly easy.
If you need a takeaway from all this, that would be that SMS is not a secure method of 2FA, and you should prefer an authenticator app or a physical key instead. If you have no other option, use a private number that is not linked to your identity, is not known by others, and is not used for any other purpose than 2FA.