From Unsecure to Less Unsecure
Text messages, as many people know are not very secure. If you are asking where we are meeting for lunch, you probably don’t care. But many banks use text messages (technically known as SMS or Short Message Service) as a second factor to enhance login security. While it does help some, it would be a lot better if SMS messages were secure.
Add to that the limited character length allowed in SMS (only a bit longer than the original Twitter at 162 characters, but that is sometimes masked by phone makers text messaging applications), the fact that photos sent by SMS have to be compressed down to be barely identifiable and the fact that it can be hijacked, we have been needing a replacement.
Enter RCS or Rich Communications Services. RCS eliminates a lot of these shortcomings. Supposedly the big four (soon to be three) US carriers say it is coming in 2020, even though the standard has been around for 10 years.
But the way the carriers are implementing it is not very secure as researchers are starting to point out.
While you can pick a different text messaging app like iMessage, Whatsapp or Signal, for example, for talking to your friends and have enhanced privacy with them, you don’t have any control over which text messaging service your bank uses, leaving you more vulnerable than alternative solutions such as Google Authenticator or Authy, generically known as Time based One Time Passwords or TOTP.
So what are the carriers doing wrong?
SRSLabs researchers are going to talk about the holes that they have found at Black Hat Europe in December. Hopefully the carriers get embarrassed and fix some of these bugs before the systems go live next year.
The issue SRSLabs seems to have a problem with is the way the standard for RCS is being implemented, rather than the standard itself. This is actually good news because it means that a software patch can improve security and it doesn’t require changes to the standard. Even with these fixes, RCS is **NOT** encrypted end to end like iMessage or Whatsapp.
One issue is security around how RCS configuration files, which contain the userid and password for your text messages are secured. In that case, there is no security, meaning any app can request the configuration and have access to your text messages.
Another one sends a six digit code to identify you are who you say you are but lets you have unlimited guesses. To try all the possible numbers takes about five minutes.
The carriers, of course, are completely defensive, but I suspect after Black Hat makes their sloppiness public, many of the carriers will clean up their acts.
Which is good for users.
Bottom line though, if you want more private text messages, use something like iMessage or Signal – RCS is not going to solve that problem. Even if the carriers fix their implementation bugs in RCS, it will just be less unsecure. Source: Vice