Texting has been around since the 1990s, and it has served us well. Users have sent countless messages, and these exchanges have facilitated such developments as SMS-based two-factor authentication (2FA) and Kenya’s SMS-based M-Pesa mobile payment system. But the world has since discovered countless other ways to message — methods that enable far more compelling media and exchanges.
Enter Rich Communication Services (RCS), a carrier-implemented mobile communication alternative not only to SMS text messaging but also to proprietary messaging services like Facebook Messenger, WhatsApp or Apple’s iMessage.
RCS is an SIP- and HTTP-based way for messages, phone calls, video calls and file transfers to support features such as read receipts and typing notifications. Like proprietary messaging apps, RCS naturally offers some rich features, but it requires the phone system, like SMS. Once the phone number is registered through the phone network, RCS communication can happen over the internet.
The road to RCS has been, and continues to be, long and difficult. It took years for carriers to adopt RCS. Some smartphone makers and many users prefer third-party messaging apps, and Apple’s iMessage doesn’t even support RCS. But after many years of preparation and work — and despite all remaining obstacles — Rich Communication Services is finally here, available on all four major U.S. carriers. It’s also on more than 100 networks in nearly 70 countries.
Unfortunately, as it is being implemented, RCS is bringing some pretty glaring security vulnerabilities as well.
Potential Security Vulnerabilities With Rich Communication Services
Text messaging is vital to security. Whether it should be or not is immaterial to the fact that people do send sensitive information over SMS, MMS and RCS, including passwords, 2FA codes and more. These communications must be secure, and that’s why its vital for security and IT professionals to understand the security risks RCS poses.
Late last year, German security consultancy SRLabs presented their findings on the security vulnerabilities of RCS at several major security conferences in Europe, including PacSec, DeepSec and BlackHat. The vulnerabilities, according to SRLabs’ Karsten Nohl, enable hackers to track or impersonate users, block text-sending through denial-of-service (DoS) attacks and possibly intercept text messages. Nohl pointed out that there’s nothing wrong with RCS structurally — the problem is more in the implementation.
In most cases, according to SRLabs, hacking RCS begins with buying SIM cards from one or more carriers. This allows hackers to find out which RCS-related internet addresses the carriers connect to. Once the attackers possess this information, they can brute-force the carrier’s identity-verification process to gain access to a user’s account, capture usernames and passwords from the user’s phone, deploy a fake mobile cell tower for injecting traffic, launch DoS attacks against arbitrary websites using hacked RCS accounts, take over the accounts of other users, set call forwarding from a legitimate account to a fake one, redirect traffic to malicious spoofed websites and more.
After RCS servers are authenticated, they use phone numbers and IP addresses as identifiers, which means any attacker on the same Wi-Fi network who knows the victim’s phone number could impersonate that user.
RCS can also enable a man-in-the-middle (MitM) attack, according to SRLabs. If a threat actor can change the Domain Name System (DNS) request that the phone uses to find the RCS server, they can take advantage of how the Android RCS app works. The app checks for a valid TLS certificate and will accept any valid certificate, including one controlled by an attacker.
These attacks must be thwarted in the long term, mostly by the carriers themselves.
What Can Carriers Do to Improve Future Mobile Security?
The solution, according to Nohl, is for carriers to implement various security protocols, such as:
- Authentication using the phone’s SIM card or its secure chip
- Rate-limiting
- Using one-time PIN codes
- Validating SIP sessions
- Removing sensitive information from SIP requests
- Validating linked internet addresses with certificates
The most likely future for RCS is that, over time, carriers will fix and improve its implementation so it can be used by billions of people as the default texting system. Between now and then, however, it’s important that all security leaders, executives and decision-makers understand the scale of the problem and the speed at which the risk is growing.
What the Security Community Can Do Today
It’s important to recognize that Rich Communication Services is another way for cybercriminals to find their way inside your organization through mobile phones and mobile phone systems. As such, traditional best practices around mobile security apply here. Accordingly, security professionals should do the following:
Although we’ve been hearing chatter about RCS for years (and Google has been promoting it for a few years) the company only made RCS chat Android’s main texting platform in November. That means any Android user in your organization using Google’s Android Messages app is now using RCS, whether they know it or not.
In other words, the number of employees in your organization using RCS has almost certainly increased over the past four months. This massive shift will undoubtedly be accompanied by a newfound interest among cybercriminals looking to exploit flaws. It’s time to take action to protect against potential security vulnerabilities in RCS.