Oh I love acronyms and how much you can encode with just a few letters. Take the letter ‘S’, it is like magic: It transforms the ancient File Transfer Protocol FTP into a secure SFTP. HTTP is untrustworthy plain text but when you see HTTPS you enter your credit card details with ease. Other examples include SSH, TLS, SRTP, and SSL. Even the NSA puts “Security” in the center of its acronym. So how secure must SMS be with even two capital S in its name? … Bummer! One stands for Short, one for Service 🙁
Still, SMS is used a lot nowadays for securing all kinds of online interactions, from banking transactions to first-time WhatsApp registrations. The underlying reason for this is called 2FA. Although there’s no S in the acronym, it is nevertheless a fundamental security principle: Two Factor Authentication. If you want to lock a door securely you better put an additional lock on it, but please don’t keep the two keys on the same key ring in your pocket. Instead better use very different lock types, such as a physical key and a number code. A thief who stole your keychain will have only one “factor” and cannot open the door.
Now let’s apply this 2FA principle to today’s plethora of handy services that are all IP-based. You want to find an independent factor to make access more secure than just a login and password combination. SMS is not an IP service; instead it uses a specialized telecommunications signaling system called SS7 (watch the 2 S, very secure, see below for more ;-). That independence qualifies SMS as a second factor to convey the other key. And, SMS is simple, convenient, and ubiquitous, removing the need to provide users with a new device, such as an extra smart card reader.
But how secure is SMS in itself? One aspect to consider is the level of certainty with which the message gets delivered. This depends of course on the delivery route chosen, which I cover in “All SMS Messages are Equal…or Not?”. What I want to dig into here is the potential for malicious interventions with SMS. For example, the thief calls your mobile network provider claiming to be you and states that you had lost your SIM card but that he had already a spare new SIM card ready. The helpful support person enables the new SIM card to carry your phone number and suddenly the malicious caller receives all of your SMS messages on his new SIM. Luckily, this bug in the process has been fixed and today, you need to prove your identity before such a configuration change is done by the carrier. Another potential area of attack is the radio interface. Your phone regularly exchanges information with the antenna of your mobile network provider. This wireless connection transmits also the SMS to your cell phone and this communication is encrypted but vulnerable to man in the middle attacks. So with very specialized equipment a thief can listen in and even inject fake radio signals. While technically possible, the effort, the required knowledge, and specialized software and hardware is very significant, especially compared to the IP world where a standard PC with Internet connection and freely downloadable hacking software tools are sufficient. Finally, let’s look at the core network level with its closed SS7 network that is only accessible for real fixed and mobile telecom operators that are registered with regulatory bodies like ITU and national regulators. Could a thief listen in and manipulate the SS7 signaling network? Yes, cases of so-called SS7 Global Title spoofing have happened, allowing a thief to pretend to be a network element in the SS7 network of a mobile operator. Given the high level of effort of doing that, the prime intention was less to listen in to individual SMSs, but actually to send (many) messages for free and sell that capacity to the market. The economic damage to the operators has triggered the mobile networks in the last five years to introduce heavy monitoring as well as so-called SS7 Home Routers, a new SS7 network element that acts basically as a NAT (Network Address Translation) firewall for the SS7 network— shielding the internal network and giving policing options on the SS7 traffic.
So, bottom line: As with any technology, SMS cannot offer 100% security. However, the “peculiarities” of SMS technology and its underlying networks make it difficult for thieves to target, and as such, it’s not often that an attack occurs in the first place. Millions of 2FA text messages are processed every day by OpenMarket alone, and are a great proof point: SMS is secure enough as a second factor — as the additional lock.
By the way, I used 297 ‘S’ characters in this blog so far. I hope that makes it a convincing and secure blog. 303 🙂