Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16
from the don't-try-too-hard dept
It’s not sure why journalists keep having to do the wireless industry’s job, yet here we are.
Sometime around mid-march, Motherboard reporter Joseph Cox wrote a story explaining how he managed to pay a hacker $16 to gain access to most of his online accounts. How? The hacker exploited a flaw in the way text messages are routed around the internet, paying a third party (with pretty clearly flimsy standards for determining trust) to reroute all of his text messages, including SMS two factor authentication. From there, it was relatively trivial to break into several of the journalist’s accounts, including Bumble, Whatsapp, and Postmates.
It’s a flaw the industry has apparently known about for some time, but they only decided to take action after the story made the rounds. This week, all major wireless carriers indicated they’d be taking significant steps to the way text messages are routed to take aim at the flaw:
“The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers,” the March 25 announcement from Aerialink, reads. The announcement adds that the change is “industry-wide” and “affects all SMS providers in the mobile ecosystem.”
“Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway,” the announcement adds, referring to Bring Your Own Number.”
It’s a welcome move, but it’s also part of a trend where journalists making a pittance somehow routinely have to prompt an industry that makes billions of dollars a year to properly secure their networks. It’s not much different from the steady parade of SIM swapping attacks that plagued the industry for years, only resulting in substantive action by the sector after reporters began documenting how common it was (and big name cryptocurrency investors had millions of dollars stolen). It was another example of how two factor authentication over text messages isn’t genuinely secure.
Or the SS7 flaw, which the industry has known about for years but didn’t take seriously until journalists began documenting how the flaw lets all manner of malicious private and government actors spy on wireless users without them knowing. US consumers pay some of the highest prices in the developed world for mobile data. At that price point, it doesn’t matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
Filed Under: data, hack, privacy, sms, two factor authentication
Comments on “Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16”
What I don’t get is why Aerialink ever had the ability to redirect SMS/MMS traffic through their gateway in the first place? There’s no way for consumers to request that sort of redirect, so it couldn’t have been at the number owner’s request. The carriers are already the SMS/MMS gateway for their own networks, so they wouldn’t need to request such a redirect. The only time I can see them needing that is if they were subcontracting operation of their own gateway out, and it doesn’t sound like that was the case here. So why would there even need to be the ability for a third party to request control of SMS/MMS routing? It sounds to me like this is something that should never have even been implemented.
incompetence
it doesn’t matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
time to start handing out fines when a security flaw is discovered and nothing is done about it! it shouldn’t take journalist to do there job!
"Telecom giants should be getting out ahead of security flaws before they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence. "
The cost of ignoring it – $0
The fines for ignoring it – $0
The penalties of consumers leaving – $0 (something something captive market)
The cost of fixing it – $1.35
Shareholder value must be increased by $0.75 (the rest was a CEO bonus for getting them an extra $0.75)
If the system is still working, why spend anything more than we have to on it?
Bailing wire & bubblegum fixes are enough to keep it going until they aren’t…. then we can just get our political appointees to funnel us money to underwrite fixing the shit we’ve ignored for decades and don’t want to pay for.
Re: Re:
It appears that the only thing valuable to the corporations is their own brand image. Thank goodness for a little investigative journalism embarrassment.
Re: Re: Re:
Nah even the most brain addled understood the idea that for $16 your bank account could be drained.
Now its all "fixed" so we can stop wondering if there is anything else waiting to screw us.
FTFY. Waiting – for anything – is a losing strategy.
All of your base are belong to us