Short Message Service (SMS), also known simply as text messaging, has been with us since the birth of mobile phones (the first-ever text message was sent over the Vodafone network(new window) in 1992).
SMS is supported by almost every mobile network provider in the world, with over two trillion(new window) SMS messages being sent during 2020 in the United States alone. Indeed, the United States remains a bastion of SMS use(new window), bucking the growing trend in other countries to use internet-based alternatives such as WhatsApp and Telegram.
The big advantage of SMS is that it is universal — it’s on everyone’s phones, allowing you to text anyone, regardless of whether they use an iPhone or an Android phone, or whether they use one of many competing third-party messaging apps.
However, unlike encrypted email, SMS was developed before the necessity of ensuring communications are secure and private was even considered. The result is that SMS messages are an open book, easily read by your mobile service provider, your government, and criminal hackers.
This is made all the scarier by the fact that two-factor authentication (2FA) codes are routinely sent via SMS.
No privacy from your mobile service provider
SMS messages are not encrypted in any way, so your mobile service provider can read every message you send and receive. They can also hand this information over to third parties.
In the United States, for example, the Electronic Communications Privacy Act(new window) allows police to freely access SMS messages that are over 180 days old. To access SMS messages sent more recently than 180 days, a warrant is required.
The problem with SS7
“Hackers can exploit SS7 flaws to track Americans, intercept their calls and texts, and hack their phones to steal financial information, know when they are at home or away, and otherwise prey on unsuspecting consumers. Moreover, according to multiple news reports, SS7 spying products are widely available to both criminal and foreign governments”.
Senator Ron Wyden(new window) (D-Ore.) in 2018 after receiving a letter from the Department of Homeland Security(new window) warning that “nefarious actors may have exploited” global cellular networks “to target the communications of American citizens.”
Signaling System No. 7(new window) (SS7) is a set of telephony signaling protocols that underpin mobile phone networks around the world. It allows phone networks to communicate with each to connect users and pass messages between networks, ensure correct billing, and allows users to roam on other networks. It’s also used to facilitate SMS messaging.
A sprawling mass of outdated technologies that date back to the 1970s, long before it occurred to anyone to build-in security measures, SS7 has been known to be highly insecure(new window) since at least 2008. But despite a series of very high-profile examples of just how dangerous the situation is, nothing has yet been done to improve the security of SS7.
- In 2014, hackers used SS7 to record a confidential conversation(new window) between the US ambassador to Ukraine, Geoffrey Pyatt, and US Assistant Secretary of State, Victoria Nuland, in which Pyatt was highly critical of the EU.
- In 2016, a security researcher showed how hackers with access to the SS7 network can spoof users’ identities(new window) to access messages belonging to the users of many messaging apps that rely on phone numbers for authentication.
- In 2017, US congressman Ted Lieu called for an oversight committee investigation into SS7 on grounds that it was a national security risk. The FCC did hold an investigation(new window), but the working group tasked with the job comprised mainly of telecoms industry lobbyists and not a single academic expert.
- Also in 2017, it was reported that hackers were using SS7 to intercept 2FA codes(new window) sent by SMS to secure bank accounts, resulting in real-world bank accounts being drained.
- In 2020, Saudi Arabia was accused of exploiting the SS7 network to operate a systematic spying campaign(new window) in the United States.
And these cases(new window) are just(new window) the tip(new window) of the iceberg(new window). One of the more credible explanations(new window) for why this state of affairs is allowed to continue is that governments and law enforcement agencies around the world find the vast trove of personal information available through the SS7 network too valuable to want real change.
Obviously, the problems with SS7 go much deeper than just allowing governments, hackers, and who knows who else?, to have unrestricted access to everyone on the planet’s SMS messages. But it is a problem.
Beware SIM swapping attacks
Mobile network providers can seamlessly transfer phone numbers from one SIM card to another. This allows them to assist customers whose phones have been stolen and allows customers to switch network providers.
A SIM swapping attack allows hackers to exploit this process so that a victim’s phone number is fraudulently transferred to their own SIM card. This is usually achieved either by using social engineering to trick the mobile operator into believing the hacker is the genuine customer, or by corrupt mobile network employees.
The biggest danger from SIM swapping is that it allows criminal hackers to intercept 2FA codes texted to your phone number.
This has become an increasingly worrying problem, recently leading the United States FBI to issue a public service announcement(new window) warning that SIM swapping attacks have increased 15-fold in the last two years, resulting in adjusted losses in the US of more than $68 million in 2021.
It’s also worth noting that, because SMS messages are not encrypted in any way, any malware installed on your phone will have full access to them.
Are iMessage and RCS better solutions?
iMessage is Apple’s attempt to replace SMS with a secure, modern, internet-based alternative. It uses end-to-end encryption, but only when messages are sent to other Apple users. It should be noted that there is no technical reason iMessage cannot also be released on Android — the fact that it isn’t is a purely marketing decision by Apple.
Given that Android has a mobile operating systems market share of over 70%(new window) worldwide, this is a serious problem, resulting in iMessage being largely ignored throughout most of the world in favor of platform-agnostic alternatives.
In the United States, where iPhones account for over 50% of the market(new window), iMessage remains more relevant, but it still means that texts to almost half the population are no more secure than those sent via regular SMS.
Importantly for a service that hopes to replace SMS, 2FA codes are invariably sent over regular SMS and so are not protected by iMessage’s encryption. In addition to this, by default, iMessages are backed up to iCloud without end-to-end encryption(new window), meaning that by default, Apple can access your texts regardless of whether they are sent using E2EE.
All that said, if your contacts all have iPhones and if you disable iCloud backups, then iMessage is undoubtedly an improvement over SMS.
Rich Communication Services(new window) (RCS) is an open communication protocol that offers most of the advantages of iMessage — including multimedia support, persistent groups, large multimedia sharing, and more.
It’s not a Google protocol, but Google now implements RCS in the Android Messages app. Although not end-to-end encrypted by default, Google has developed an extension that provides E2EE when using RCS.
Google has called on Apple to incorporate the standard into iMessage(new window) so that everyone can benefit from a more secure messaging platform, but Apple has refused to consider such a move(new window).
This leaves RCS in a similar position to iMessage, where its potential to improve the SMS situation is hamstrung by its lack of cross-platform compatibility.
Secure SMS alternatives
Throughout most of the world, internet-based third-party messaging apps, such as WhatsApp, Signal, Telegram, and even Facebook Messenger, are increasingly replacing SMS.
These apps have the advantage of allowing you to text contacts on different platforms, they are all much more secure than SMS, and many use strong end-to-end encryption.
Although popular, WhatsApp is not a great choice when it comes to privacy because, although it uses E2EE, it allows Facebook to collect and abuse your metadata(new window) — who you are talking to, from where, at what time, how often, and from which device.
It’s not the fault of these apps, but they also do nothing to protect you when companies send your 2FA codes over regular SMS. Your best defense against this is to use a 2FA authenticator app such as Authy(new window), Google Authenticator(new window), or open-source andOTP(new window) or FreeOTP(new window) instead of SMS-based 2FA where possible. Unfortunately, this option is often not available.
SMS is fundamentally broken and should be avoided where possible. iMessage is good if all your contacts also use it, but for most people, a secure third-party messaging app that respects your privacy is almost certainly the best option.
Alternatively, you can signup for a free E2EE Proton Mail account, used by millions of people around the world to protect their private conversations.