$16 attack shows how easy carriers make it to intercept text messages
In a new article titled “A Hacker Got All My Texts for $16,” Vice reporter Joseph Cox detailed how the white-hat hacker—an employee at a security vendor—was able to redirect all of his text messages and then break into online accounts that rely on texts for authentication.
This wasn’t a SIM swap scam, in which “hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card,” Cox wrote. “Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him.”
This method tricked T-Mobile into redirecting Cox’s text messages in a way that might not have been readily apparent to an unsuspecting user. “Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal,” Cox wrote. “Except I never received the messages intended for me, but he did.”
The unnamed hacker is director of information at Okey Systems, a security vendor. “I used a prepaid card to buy [Sakari’s] $16-per-month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info,” the Okey employee told Cox. The “LOA” is “a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers,” Cox wrote.
“A few minutes after they entered my T-Mobile number into Sakari, [the hacker] started receiving text messages that were meant for me,” Cox wrote. “I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts.”
After gaining access to Cox’s messages, “the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts,” the article said.
“As for how Sakari has this capability to transfer phone numbers, [researcher Karsten] Nohl from Security Research Labs said, ‘there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs,'” Cox wrote.
While Cox is a T-Mobile user, the hacker told him that the “carrier doesn’t matter… It’s basically the wild west.”
CTIA: Carriers now take “precautionary measures”
Okey offers a tool for monitoring malicious changes to a user’s mobile service. “Sign up for our free beta and we’ll monitor out-of-band communications such as your routes and carrier settings. If a malicious event takes place, we’ll alert you through alternative forms of trusted communication,” the company says.
The carriers themselves may be able to stop this type of attack in the future. T-Mobile, Verizon, and AT&T referred Cox to CTIA, the trade association that represents the top mobile carriers. CTIA told Cox:
After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter.
That statement does not say exactly what precautionary measures the carriers have taken to prevent the attack. We contacted T-Mobile and CTIA today and will update this article if we get any more information.
Sakari has also apparently upgraded security. Sakari co-founder Adam Horsman told Cox that Sakari has, since being made aware of the attack, “updated our hosted messaging process to catch this in the future” and “added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number.”
We contacted Sakari today about its security and integration with T-Mobile and will update this article if we get a response. While Sakari was involved in this case, other third-party companies may also have integrations with carriers that open the carriers’ customers to attacks. The carriers themselves need to be more careful about giving third-party vendors the ability to redirect text messages.
Update at 2:48 pm EDT: Sakari responded to Ars with a statement saying, “We’ve now closed this industry loophole at Sakari and other SMS providers and carriers should do the same. When you port a mobile phone number in the US, like a customer switching carriers for voice calls, the carrier you are leaving authorizes your number’s departure. There is no such industry standard for transferring ownership of messaging on mobile numbers. Sakari already goes above and beyond industry standards on verification for new clients and followed our carrier’s guidelines to the letter, but in light of this development we’ve now added a phone verification call to all new text-enabled numbers so no one can use Sakari to exploit this industry loophole again. SMS is a hugely powerful communication medium, and as it continues to dominate the communication landscape, we would welcome improvements needed from the industry—both carriers and resellers.”
Cox’s story is not the first reminder about the insecurity of text messages. SIM-swapping attacks and flaws in the SS7 telephone protocols already made it risky to use text messages for authentication, but many websites and other online services still rely on texts to verify users’ identities. Customers can set up account PINs with T-Mobile and other carriers to prevent unauthorized access to their cellular accounts, but it isn’t clear whether doing so would have prevented the type of attack that redirected Cox’s text messages.