Texting has been around since the 1990s, and it has served us well. Users have sent countless messages, and these exchanges have facilitated such developments as SMS-based two-factor authentication (2FA) and Kenya’s SMS-based M-Pesa mobile payment system. But the world has since discovered countless other ways to message — methods that enable far more compelling media and exchanges.

Enter Rich Communication Services (RCS), a carrier-implemented mobile communication alternative not only to SMS text messaging but also to proprietary messaging services like Facebook Messenger, WhatsApp or Apple’s iMessage.

RCS is an SIP- and HTTP-based way for messages, phone calls, video calls and file transfers to support features such as read receipts and typing notifications. Like proprietary messaging apps, RCS naturally offers some rich features, but it requires the phone system, like SMS. Once the phone number is registered through the phone network, RCS communication can happen over the internet.

The road to RCS has been, and continues to be, long and difficult. It took years for carriers to adopt RCS. Some smartphone makers and many users prefer third-party messaging apps, and Apple’s iMessage doesn’t even support RCS. But after many years of preparation and work — and despite all remaining obstacles — Rich Communication Services is finally here, available on all four major U.S. carriers. It’s also on more than 100 networks in nearly 70 countries.

Unfortunately, as it is being implemented, RCS is bringing some pretty glaring security vulnerabilities as well.

Potential Security Vulnerabilities With Rich Communication Services

Text messaging is vital to security. Whether it should be or not is immaterial to the fact that people do send sensitive information over SMS, MMS and RCS, including passwords, 2FA codes and more. These communications must be secure, and that’s why its vital for security and IT professionals to understand the security risks RCS poses.

Late last year, German security consultancy SRLabs presented their findings on the security vulnerabilities of RCS at several major security conferences in Europe, including PacSec, DeepSec and BlackHat. The vulnerabilities, according to SRLabs’ Karsten Nohl, enable hackers to track or impersonate users, block text-sending through denial-of-service (DoS) attacks and possibly intercept text messages. Nohl pointed out that there’s nothing wrong with RCS structurally — the problem is more in the implementation.

In most cases, according to SRLabs, hacking RCS begins with buying SIM cards from one or more carriers. This allows hackers to find out which RCS-related internet addresses the carriers connect to. Once the attackers possess this information, they can brute-force the carrier’s identity-verification process to gain access to a user’s account, capture usernames and passwords from the user’s phone, deploy a fake mobile cell tower for injecting traffic, launch DoS attacks against arbitrary websites using hacked RCS accounts, take over the accounts of other users, set call forwarding from a legitimate account to a fake one, redirect traffic to malicious spoofed websites and more.

After RCS servers are authenticated, they use phone numbers and IP addresses as identifiers, which means any attacker on the same Wi-Fi network who knows the victim’s phone number could impersonate that user.

RCS can also enable a man-in-the-middle (MitM) attack, according to SRLabs. If a threat actor can change the Domain Name System (DNS) request that the phone uses to find the RCS server, they can take advantage of how the Android RCS app works. The app checks for a valid TLS certificate and will accept any valid certificate, including one controlled by an attacker.

These attacks must be thwarted in the long term, mostly by the carriers themselves.

What Can Carriers Do to Improve Future Mobile Security?

The solution, according to Nohl, is for carriers to implement various security protocols, such as:

  • Authentication using the phone’s SIM card or its secure chip
  • Rate-limiting
  • Using one-time PIN codes
  • Validating SIP sessions
  • Removing sensitive information from SIP requests
  • Validating linked internet addresses with certificates

The most likely future for RCS is that, over time, carriers will fix and improve its implementation so it can be used by billions of people as the default texting system. Between now and then, however, it’s important that all security leaders, executives and decision-makers understand the scale of the problem and the speed at which the risk is growing.

What the Security Community Can Do Today

It’s important to recognize that Rich Communication Services is another way for cybercriminals to find their way inside your organization through mobile phones and mobile phone systems. As such, traditional best practices around mobile security apply here. Accordingly, security professionals should do the following:

Although we’ve been hearing chatter about RCS for years (and Google has been promoting it for a few years) the company only made RCS chat Android’s main texting platform in November. That means any Android user in your organization using Google’s Android Messages app is now using RCS, whether they know it or not.

In other words, the number of employees in your organization using RCS has almost certainly increased over the past four months. This massive shift will undoubtedly be accompanied by a newfound interest among cybercriminals looking to exploit flaws. It’s time to take action to protect against potential security vulnerabilities in RCS.

More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…