Did you know that, on average, 6 billion SMS messages are sent every day in the U.S. alone? Thats 180 billion each month and 2.27 trillion each year. Globally, 4.2 billion people are texting worldwide. No doubt youre one of emwhich means you fire off approximately 67 texts a day. Thats a lot of LOLs.
When you send all those texts, you probably assume that you and your recipients are the only ones privy to the information contained within. Thats where youd be wrong.
The truth is that text messages arent secure, and that insecurity opens you, your friends, family, and business up to risk. And it isnt even your fault; the default text messaging services many of us use are old and vulnerable to a number of different attack scenarios. While carriers are on a path to update it, it might be too little, too late.
But before you can understand why you should spend more energy on practicing safe texting, it may be helpful to understand how the whole system works in the first place. Heres the breakdown.
If youre sending a text message, youre generally sending an SMS, which stands for Short Message Service. Its the oldest and one of the most widely used text messaging services today. It includes MMS (Multimedia Messaging Service) which enables SMS users to send multimedia content like images, audio, and visual files. Both SMS and MMS are sent using cellular networks and thus require a wireless plan and a wireless carrier.
If you send a traditional text message on your phone, its considered an SMS. When you send that gif, youve just sent a MMS.
When you send a text message, it first goes to a nearby cellular tower over a pathway called the control channel, and then into an SMS center (SMSC). The SMSC resends that message to the tower closest to the recipient, and then it goes to their phone. SMS also sends data associated with the message, including the length of the message, format, time stamp, and destination.
Of the 109 text messages I sent yesterday, for example, 15 of them were SMS messages sent to people who have phones on other carriers, 70 were sent through iMessage, and the rest were sent via OTT applications.
WhatsApp, iMessage, Facebook Messenger, WeChat, and other messaging apps are grouped together as OTT applications and are also considered texting services. OTT stands for Over the Top; as a group, these apps are different than SMS services because they use internet protocols (IP) rather than cellular networks to transmit messages. This means these messages are sent through an internet connection (aka WiFi) or via mobile internet connection.
OTT apps work in a way thats different than SMS because they send encrypted messages that only you and the person receiving your message can access. That means the messaging service doesnt know what youre sending, and neither does anyone else who might intercept that web traffic.
For example, WeChat uses extensible Messaging and Presence Protocol (XMPP) to exchange data between the users. This protocol is decentralized, and as a result, considered secure and flexible. The company also uses SSL/TSL encryption. All of this is intended to ensure that other people arent seeing your messages.
When considering messaging services, people often have to choose between sending via SMS or sending via an OTT service. If youve traveled extensively outside the U.S., youve probably noticed that people in many other countries prefer WhatsApp to text messaging.
SMS is the most ubiquitous, but least secure messaging medium. OTT apps require you to be using the same platform as the person youre messaging, which can be annoying. Maybe your friends dont want to download another app just for texting, but continuing to use SMS could put you at risk because it doesnt have end-to-end encryption.
As OTT apps cannibalize the SMS market, carriers have become incentivized to improve SMS services in the form of Rich Communication Services (RCS). RCS theoretically combines the best features of OTT apps into one protocol thats universal across carriers and devices. This new protocol will replace SMS and has been a work in progress for more than a decade.
Approved by the GSMA in 2008, RCS was fully adopted in 2016. Since then, the RCS Universal Profile has been pushed out with strong support and back-end services from Google (which acquired Jibe) with the goal of providing consistent interoperable messaging services across all devices and networks. This not only helps create a global standard, but also improves Android capacity, which is notoriously more vulnerable to attacks. As Dan Wood of Bishop Fox noted in an interview, A lot of SMS phishing is done against Android platforms.
RCS has the ability to:
However, while RCS doesnt have end-to-end encryption, it does have the standard security protocols of Transport Layer Security and IPsec.
RCS doesnt use cellular connection, but instead relies on a data connection and is both hardware- and platform-agnostic. Sprint, US Cellular, and Google Fi have implemented RCS fully across their networks and all devices. Other networks are implementing it against specific devices with broader plans to roll out further through 2020. And, moving forward, all devices should support this feature out of the box.
In short, RCS is an attempt by carriers to ensure the continued use of out-of- the-box messaging services and the connected data plans that accompany such usage. However, it doesnt enhance the overall security of information shared.
With the recent ghost texting controversy, people have started to question just how secure text messages are. The simple answer: not very.
Remember: Text messages are sent in a multi-step process. While your message might be encrypted from your phone to the first cell tower, its not encrypted after that. And your SMSC may keep the message even if both the sender and recipient delete it. Whenever a message is encrypted, it can be read by the mobile service, hackers, or governments.
Because of the lack of encryption, hackers can search for weak points anywhere along the virtual path between the sender and receiver, which includes a ton of different network devices and computing systems at many different providersonly one of which needs to be exploited via technical vulnerability, misconfiguration, social engineering or insider attack, says Christopher Howell, CTO of Wickr.
Because the messages are stored on these systems longer than necessary, Howell continues, it increases the window of vulnerability through which the hacker can attack. Rather than having to defend a system for a few seconds to prevent a hacker from stealing a message, it needs to be protected for days, weeks, months. These odds favor the hacker.
Its unlikely that youre using your cell phone to text about military launch codes, top secret government business, or anything else thats of much use to the average hacker. But what about a text exchange about a friends decision to leave their spouse, your bosss cancer scare, or your little sisters decision to switch jobs? Would you want that information to get disseminated somewhere else? What about information about your children, your pets, or a naked selfie that could help someone track where you are, guess your passwords, or find the tattoo on your left thigh thats also your bank account password?
Its not always about protecting big secretsits about ensuring personal privacy for everyone involved.
There are a number of ways that malicious actors (governments, terrorists, etc.) can hack into SMS systems and use them for their own benefit.
Governments are hacking using SMS. Chinese hackers recently did this when they developed malware to steal SMS messages. The malware used a keyword list of terms that were of geopolitical interest for Chinese intelligence collection and then connected those terms with phone numbers that they then tracked. The group responsible for this (APT41) also interacted with call detail records and tracked high-ranking individuals who were of interest to Chinese intelligence.
There are 0day bugs on the market that can remote access your phone without you having to click on any sort of link or do anything at all, says Ben Lamm, the CEO of Hypergiant. In fact, this market is growing as are all threats to vulnerable systems. The secret here is that we need to all be more focused on security, on protecting ourselves from vulnerability and on understanding that one insecure individual can compromise the whole group.
Take, for instance, two-factor authentication, which we generally think of as safe. If that second factor authentication is through an SMS service, it could be intercepted, meaning the system you thought was secure might now be compromised. This is important if, say, you use two-factor authentication to protect your bank account, corporate email, or dating profile.
Regular people are hacking and being hacked using SMS, too. Text message hacks are happening everywhere, from middle schoolers hacking their enemies to steal their pictures to nation state level attacks, says Georgia Weidman, the founder of Shevirah Inc. and a New America Cybersecurity Policy Fellow.
Given the propensity for and variety of attacks, it makes sense to consider alternative services that offer end-to-end encryption. Popular secure apps include:
An attacker might send a text message enticing a user to log into their bank or download a malicious application. Many users are getting security awareness training to be wary of phishing via email, but that education is often lacking around mobile based attack vectors such as text message or WhatsApp, Weidman says. Additionally, the text messaging programs on our phones are just software like any other and thus prone to security vulnerabilities. There have been instances in the past where an attacker could send a malformed text message to a device and gain control of the device.
The truth is we all need to use an extra dose of common sense.
Use the same caution when responding to SMS text messages as you would a suspicious email, says Kristin Kozinski of Dont Click on That. When evaluating a message consider the source of the message. If you dont recognize the number, confirm the context of the message elsewhere. For example, if your bank texts you, call the customer support number to verify the message you received. Be cautious of any link in the text message. This is a prime outlet for distributing malicious URLs. Finally, if the text sounds too good to be true, it probably is.
Read this article:
How SMS Worksand Why You Shouldnt Use It Anymore - Popular Mechanics
- Report: NSA building comp to crack encryption types [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Report: NSA looking to crack all encryption with quantum computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Sound Advice: Explaining Comcast cable encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA Building Encryption-Busting Super Computer [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- NSA researches quantum computing to crack most encryption [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Advanced Encryption Standard - Wikipedia, the free encyclopedia [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- How Encryption Works - HowStuffWorks "Computer" [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - MB Technology Solutions - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Email Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Reversible Data Hiding in Encrypted Images by Reserving Room Before Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Toshiba WT8 Full Disk Encryption, Miracast, Easy Stand - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- Australian Encryption | Text encryption software for the protection of your privacy - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- njRAT v0 6 4 server Clean Encryption - Video [Last Updated On: January 5th, 2014] [Originally Added On: January 5th, 2014]
- AlertBoot New Encryption Compliance Reports Prepare Covered Entities For HIPAA Audits [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- BlackBerry denies using backdoor-enabled encryption code [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- What Is Encryption? (with pictures) - wiseGEEK [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- HowStuffWorks "How Encryption Works" [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Gambling with Secrets Part 5 8 Encryption Machines - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- The Benefits of Hosted Disk Encryption - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quill Encryption - what's that? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- WhatsApp Encryption - Shmoocon 2014 by @segofensiva @psaneme - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo2 - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- encryption demo - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Seven - Encryption Official Lyric Visual - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Quantum Computers - The Ultimate Encryption Backdoor? - Video [Last Updated On: January 23rd, 2014] [Originally Added On: January 23rd, 2014]
- Eric Schmidt: Encryption will break through the Great Firewall of China [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- From NSA to Gmail: Ex-spy launches free email encryption service [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Tennessee bill takes on NSA encryption-breaking facility at Oak Ridge/SHUT. IT. DOWN. - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Substitute for:Measurements. 1 Episode. Strength of the encryption algorithm - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- RSA Encryption Checkpoint - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Gambling with Secrets 8 8 RSA Encryption 1 - Video [Last Updated On: January 24th, 2014] [Originally Added On: January 24th, 2014]
- Google chairman says 'encrypting everything' could end China's censorship, stop NSA snooping [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Ex-spy launches free email encryption service [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- 3 2 The Data Encryption Standard 22 min - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 3 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- RSA Encryption step 2 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- aes tutorial, cryptography Advanced Encryption Standard AES Tutorial,fips 197 - Video [Last Updated On: January 26th, 2014] [Originally Added On: January 26th, 2014]
- Townsend Security Release First Encryption Key Management Module for Drupal [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- RSA Encryption step 5 - Video [Last Updated On: January 27th, 2014] [Originally Added On: January 27th, 2014]
- Lavabit case highlights legal fuzziness around encryption rules [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- A Beginner's Guide To Encryption: What It Is And How To Set It Up [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- How App Developers Leave the Door Open to NSA Surveillance [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- Intro to RSA Encryption step 1 - Video [Last Updated On: January 28th, 2014] [Originally Added On: January 28th, 2014]
- “Honey Encryption” Will Bamboozle Attackers with Fake Secrets [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Encryption - A Life Unlived (DEMO) - Video [Last Updated On: January 30th, 2014] [Originally Added On: January 30th, 2014]
- Baffle thy enemy: The case for Honey Encryption [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- New AlertBoot Encryption Reports Make Dental HIPAA Compliance Easier [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - The Protest - Video [Last Updated On: January 31st, 2014] [Originally Added On: January 31st, 2014]
- Encryption - New Life - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Intro - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Encryption - Blank Canvas - Video [Last Updated On: February 1st, 2014] [Originally Added On: February 1st, 2014]
- Security First SPxBitFiler-IPA encryption pattern for the IBM PureApplication System - Video [Last Updated On: February 3rd, 2014] [Originally Added On: February 3rd, 2014]
- Revolutionary new cryptography tool could make software unhackable [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- viaForensics webinar: Mobile encryption - the good, bad, and broken - Aug 2013 - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- K.OStream 0.2 File Encryption Test - Video [Last Updated On: February 4th, 2014] [Originally Added On: February 4th, 2014]
- Tumblr adds SSL encryption option, but not as the default [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Latest Java Project Source Code on Chaotic Image Encryption Techniques - Video [Last Updated On: February 5th, 2014] [Originally Added On: February 5th, 2014]
- Encryption - University of Illinois at Urbana–Champaign [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- A Beginner's Guide to Encryption: What It Is and How to ... [Last Updated On: February 6th, 2014] [Originally Added On: February 6th, 2014]
- Real Data Encryption Software is More Important than Ever ... [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Caesar Cipher Encryption method With example in C Language - Video [Last Updated On: February 8th, 2014] [Originally Added On: February 8th, 2014]
- Hytera DMR 256 bit encryption - Video [Last Updated On: February 9th, 2014] [Originally Added On: February 9th, 2014]
- Townsend Security Releases Encryption Key Management Virtual Machine for Windows Azure [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Unitrends Data Backup Webinar: Utilizing The Cloud, Deduplication, and Encryption - Video [Last Updated On: February 10th, 2014] [Originally Added On: February 10th, 2014]
- Main menu [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Use of encryption growing but businesses struggle with it – study [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- SlingSecure Mobile Voice Encryption Installation Video for Android - Video [Last Updated On: February 12th, 2014] [Originally Added On: February 12th, 2014]
- Data breaches drive growth in use of encryption, global study finds [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 2 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Darren Moffat: ZFS Encryption - Part 1 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- How do I configure User Local Recovery in Endpoint Encryption Manager 276 - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Symmetric Cipher (Private-key) Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- SafeGuard File Encryption for Mac - Installation and Configuration - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Fundamentals of Next Generation Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- Tutorial: Einrichten der EgoSecure Endpoint Removable Device Encryption - Video [Last Updated On: February 14th, 2014] [Originally Added On: February 14th, 2014]
- 'PGP' encryption has had stay-powering but does it meet today's enterprise demands? [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Fact or Fiction: Encryption Prevents Digital Eavesdropping [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- RHCSA PREP:answer to question 20 (Central Authentication Using LDAP with TLS/SSL Encryption) - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]
- Protect+ Voice Recorder with Encryption - Video [Last Updated On: February 15th, 2014] [Originally Added On: February 15th, 2014]