Easy SMS Hijacking

Vice is reporting on a cell phone vulnerability caused by commercial SMS services. One of the things these services permit is text message forwarding. It turns out that with a little bit of anonymous money—in this case, $16 off an anonymous prepaid credit card—and a few lies, you can forward the text messages from any phone to any other phone.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.

Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.

While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.

This is much easier than SMS hijacking, and causes the same security vulnerabilities. Too many networks use SMS as an authentication mechanism.

Once the hacker is able to reroute a target’s text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case, the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.

Don’t focus too much on the particular company in this article.

But Sakari is only one company. And there are plenty of others available in this overlooked industry.

Tuketu said that after one provider cut-off their access, “it took us two minutes to find another.”

Slashdot thread. And Cory Doctorow’s comments.

Tags: , , , ,

Posted on March 19, 2021 at 6:21 AM24 Comments

Comments

Eric March 19, 2021 8:44 AM

It is good to have confirmation on something that you believed, but didn’t have time to research. SMS is still way too easy to hack. I don’t think security people are really surprised by this.

I have been not signing up for MFA on new services when the service only provided SMS based MFA, because the impact of losing that one service was smaller than the impact of losing my SMS in the case of my password to that service also being compromised.

Clive Robinson March 19, 2021 8:53 AM

@ Bruce, ALL,

a cell phone vulnerability caused by commercial SMS services

Four things of note,

1, Little or no authentication.
2, Misaligned business objectives.
3, Externalisation of risk.
4, Advances in usability by technological means.

In effect make SMS less secure day by day, and is now at the point especially with Smart Devices that,

A, It can not be in any way regarded as secure.
B, It can not be in any way regarded as an independent side channel.

Which makes it in effect usless for any process including basic communication without the use of other properely issolated technologies and methods.

Pushing SMS as a side channel system giving security getting on for a third of a century ago, was probably one of my bigger if not biggest mistakes.

We realy should stop using SMS for anything we can not reliably and securely authenticate and prevent replay and similar attacks. Thus a real “No No” for 2FA and the like, or as a ticket passing system for access/authentication etc in banking etc.

I suspect the only reason Google and others push the use of mobile phones or SMS is as a way to skim PII or increase the value of PII they have already stolen.

Iggy March 19, 2021 9:02 AM

This is my shocked face. Saw this coming a long time ago and have always refused to just fork over a cell #. They should go back to asking 2 security questions, the answers to which are supplied by the service provider and the user has to save the answers to their hard drive if they can’t memorize them. That’s just my 2 cents.

uh, Mike March 19, 2021 11:32 AM

Secure products are inherently less convenient than insecure products.
People inherently choose convenience.
Sort your assets by value and apply security that fits the risk on a case-by-case basis.

Me March 19, 2021 12:33 PM

My question is: how do Sakari and others like it get access to the number routing system?

I presume the answer is the phone companies give it to them when they ask (pay) for it. It should be legally easy (that is easy to craft a law), to prevent such a transfer without first sending a text to the number and requiring an affirmative reply. A similar provision should be in place for out-going call number spoofing. That is, in both cases, you should require that someone telling you this is their phone number, should independently verify the claim before presenting that number as belonging to those making the claim.

quincy March 19, 2021 2:38 PM

Thus a real “No No” for 2FA and the like, or as a ticket passing system for access/authentication etc in banking etc.

How is it that the banks give everyone smartcards, and then use SMS or dumb security questions for 2FA instead of just a $5 smartcard reader? (Sure, they’d have to deal with lost/stolen cards, but they’ve already got to deal with lost phones and forgetten answers.)

JonKnowsNothing March 19, 2021 2:51 PM

@Me @All

re: how do they get access to the number routing system? do the phone companies give it to them when they ask?

I don’t know the method these folks are using but a lot of information is provided by Governments as part of their standards and compliance system documentation and requirements specs.

All you have to do is find the documents or the listings. These are in the Public Domain. The reports often have names in the same style as Academic Reports – long, uselessly wordy and uninformative titles.

However once you find what you need, Bob’s Your Uncle.

re: Spoofing and Blagging

For every mole you wack, you also wack a legitimate case for access.

RL anecdote: tl;dr

During a massive hurricane and mandatory evacuation, I attempted to have the utility bill of an evacuee re-routed to their new temporary location. Given that the person no longer had access to their local phone, their paperwork, their bank information was in another state and of course, forgot passwords-codes setup because they never needed them prior.

The response was just what you would expect.

Even after pointing out that the bills were going to an address under evacuation, didn’t budge the response.

It didn’t really matter if the company shut off the utilities; the City had gone around to all the Poorer Neighborhoods and yanked the meters off the wall.

Only the wealthier could afford the $30,000 USD demanded for reconnect permits and to perform the required upgrades for all the electrical inside and outside the house to the current building code.

Anyone who didn’t have $30,000 USD in their pockets had their homes Red Tagged for Demolition.

The city noted Red Tagging was a good way to remove the older housing and their older owners along with older neighborhoods.

A Nonny Bunny March 19, 2021 3:57 PM

If you’re targeting the accounts of a specific person, then $16 dollar is probably worth it. But assuming there is a limit to how many phone-numbers you can add on an account, I very much doubt it would be worth it in bulk. So in general, SMS would still be better than not having a second factor at all. Because any barrier is better than none.

Arclight March 19, 2021 7:38 PM

Cheap, secure tokens with bidirectional authentication exist now. You can pick up a Yubikey or other U2F token for a few dollars and they can be used and enrolled securely on many different sites.

I think one of the reasons they aren’t more widely supported is that they break “partner integrations” like the ability to enter your Wella Fargo password to sign up for online payments.

TypicalAmericanServiceProviders March 19, 2021 9:16 PM

Just a note before anyone wants to test the plausibility of this, that the “Sakari” service may have updated their processes and beetexting.com is not a particularly good choice either (they are linked to in that “wide ecosystem of these companies exist” link).

Firstly in that they also call you to verify that you own the number. Secondly they have made it difficult to actually close your “start free” account (with automatic monthly payments enabled by default).

(Although, if you are using an anonymous prepaid card, it will get closed once the funds run out.)

Dave March 20, 2021 12:16 AM

Almost all services that support 2FA require the use of some sort of phone-based validation before they will allow hardware-based 2FA FOBs to be used. This has prevented me from using 2FA, as I don’t use telephones and don’t have/want any SMS capability. It would only be an alternative way to crack an account.

Sadly, Yubikeys aren’t just a few dollars – they certainly charge a premium and the other u2f models just don’t have visibility in the general market. There was an expectation that u2f keys would be $10 and available at every Quickie-Mart. That hasn’t happened, unfortunately.

Clive Robinson March 20, 2021 1:15 AM

@ Iggy,

bullseye

As I said it “was probably one of my bigger if not biggest mistakes”.

The key mistake I made was not to properly think through / believe the notion of my fourth point “Advances in usability by technological means”.

Whilst I sort of saw the possability of the Internet using mobile phones (I had worked on the problem with the old analogue cell phones of the 80’s). What I had not realy seen was,

1, The development of LCD and touch screens that have made smart devices possible even though I’d been involved with developing both cordless and mobile phones in the early and mid 90’s. The development of low power computing chips (even though I had worked with Acorn that then became ARM in the 80’s) and the battery technology[1] I designed security products around.

2, The real depth of stupidity in the 1990’s with “Online Banking”.

The second point is important, because whilst banks and financial institutions had strong security for customers for something like a century… Computers offered them the opportunity to not just reduce the cost of security, but with legal changes in the 80’s get rid of it altogether for customers by “externalising the risk” onto them. A level of venalness I had not realy realised that later became clear with the likes of “Fred the Shred”[2] and similar.

[1] Yes I had worked with very high energy density lithium batteries, but I knew them as “fragile fire bombs” quite capable of burning through solid wooden doors in hotels. It had never occured to me that people might “Slap them upside their heads”… And as you might remember atleast a couple of mobile phone manufactures have since had phones catching fire due to battery faults, which is not something you want in your trouser pockets…

[2] https://en.m.wikipedia.org/wiki/Fred_Goodwin

Kat R March 20, 2021 2:55 AM

I would like to know how that Okey Monitor site works they they mention and if it’s safe to sign up for. The site itself doesn’t say how it works.

Emily Bowman March 20, 2021 3:31 AM

I’ve been transitioning my accounts to a reasonably strong password (mostly 12-14 random alphanumeric) and 2FA TOTP for over a decade now. I’m still in the middle of transitioning. After all this time, there are still so many sites that want nothing to do with 2FA, and that includes pretty much every financial and government site, and most of them combine it with stupid password requirements as a hat trick. Every single time a site offers me the opportunity to go with TOTP authenticator or with a personal certificate, I jump on that, but I currently have 15 active accounts on Authy out of god knows how many I have across the internet.

It’s NOT THAT HARD. Supporting TOTP is EASY, especially if you already have any form of 2FA set up. There’s absolutely no reason I should need to rely on the world’s least secure network to get my 2FA, but far more sites would rather text you than just verify a linked code that doesn’t need to be transmitted.

TRX March 20, 2021 11:31 AM

So, hitting the web to make sure I understood what “TOTP” meant, the first eight links I tried were tiny, faint gray text on blazing white. The only way I could read anything was “select all” to get inverse video, which was slightly more readable.

Interesting the webmasters all chose the same or such similar templates…

Clive Robinson March 20, 2021 2:56 PM

@ TRX, ALL,

So, hitting the web to make sure I understood what “TOTP” meant…

In the UK for over half a century[1] it has ment,

“Top Of The Pops”

A British Broadcasting Corp (BBC) youth popular music and top ten/twenty by sales singles chart show on “BBC1” the first of it’s Television channels… It is still as far as I know the worlds longest running program of that type.

But in the case of @Emily Bowman it means[2] “Time-based One-Time Password” which is a variation of HOTP.

The strength of TOTP/HOTP rests on an HMAC (SHA-1) used to encipher a secret seed and an incrementing counter, and a shortish (2^31) truncation of the output[3], which gets converted to an upto a 10digit number. SHA-1 has been considered “insecure” for well over a decade thus at some point in the not to distant future TOTP/HOTP using it will be considered past it’s sell by date. In the case of TOTP using “unix time” as the default does not help it’s longevity either.

[1] https://en.wikipedia.org/wiki/Top_of_the_Pops

[2] https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm

[3] Why truncate as 2^31, well it solves the “sign bit problem” of 32bit ints, which caused all sorts of messyness with various ways of handeling time measurment. Which as TOTP uses “unix time” brings up another issue “for another day”…

SpaceLifeForm March 20, 2021 3:43 PM

@ Me, JonKnowsNothing

how do Sakari and others like it get access to the number routing system?

You just become a Telco.

G(create own telco)

james March 20, 2021 4:31 PM

This is a very small case and I don’t see it being as prominent as sim swaps because from my understanding the site fixed it by now making you verify that you are the owner of the cell phone. The rest of the sites in this industry always make you verify that you are the phone number owner.

SpaceLifeForm March 20, 2021 6:17 PM

@ james

The rest of the sites in this industry always make you verify that you are the phone number owner

Read closer. They can flat out lie.

Imagine I am the fake telco,

I route the ‘verifying call’ to my cohort attacker (sitting at next desk).

Are you John Smith witb number XYZ?

Cohort: Yes, that is me.

Ok, we have confirmation this is legit.

Covered their rear legally.

Lorem ipsum March 22, 2021 6:46 AM

One day we’ll have laws that force companies using only processes and technologies not yet identified as insecure….

ss7 March 24, 2021 4:15 PM

This is a root process issue that underscores the layered issues with modern security. Regardless if is TLS or SMS, a system that places blind trust in any organization that says it has authority to intercept a persons traffic or account without affirmative consent of the user/owner is inherently broken. True of TLS/SSL due to CAs and reliance on untrusted DNS, and true in the case of cell phones and SMS where any employee can arbitrarily port an number or re-route messages without even mounting an ss7 attack or breaking the technical protections on the network.

People can lock their credit or domain registration, but not their authorized CA or their telephone number.

Another issue with this is that plenty of organizations have started forcing SMS based 2FA, even if the user didn’t request it, these organizations also frequently do not offer an alternatives like TOPT or FIDO/U2FA, despite the simplicity of adding either as an authentication method.

I find this especially frustrating as we have been pointing these issues out over and over since the beginning. However, SMS was chosen as it forced users to register their cellphone numbers, which has way more value as data to be tracked, used, or sold.

K May 18, 2021 5:53 AM

Practical question: Some people suggest using a VOIP number to sign up for SMS 2FA messages. Their rationale is that (1) VOIP SMS can’t be intercepted from cell towers, and (2) it’s harder to port a VOIP number through social engineering in the way that it has been done with standard telco-provided numbers.

But, can’t VOIP SMS be redirected in the way we’re talking about here? And if so, are any providers (e.g. Google Voice) aware of this and set up to prevent it?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.