SMS Authentication Is Not Secure: German Hackers Spy On US Congressman
Serious concerns about potential security flaws in the current global cellular network have been suspected for several years, but have been mostly disregarded as theoretical. In February 2014, suspicions grew significantly when a phone call by a US Ambassador was mysteriously leaked onto YouTube, believed to have been intercepted by someone using the suspected flaws in Russia. Since then, security research teams have confirmed the flaws are very real and made their findings public but have gotten relatively little attention, like the study released in February by AdaptiveMobile.
These flaws are now getting more public attention because of a recent 60 Minutes report where German security researchers used the flaws to spy on US Congressmen Ted Lieu, who agreed to help.
In the report, 60 Minutes sent a new phone to Congressman Lieu for him to use for communicating with his staffers, knowing they were participating in the test. They then gave the German hackers nothing but the phone number attached to the phone, challenging them to prove that intercepting SMS messages and phone calls really is that simple. The German hackers were successful.
Because of these security concerns, the US National Institute of Standards and Technology (NIST) has stated in their latest Digital Authentication Guideline that authentication via SMS messages should not be used. According to NIST:
“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and may no longer be allowed in future releases of this guidance.”
These security concerns apply to all uses of the current global telecom network, so it is important to understand why popular SMS authentication is insecure.
Why SMS Authentication is Insecure
SMS messages (for most carriers, including Verizon and AT&T) are sent over the Signal System 7 (SS7) global telecom network. The SS7 network helps connect calls, among other functions, and has flaws in the original design that make the privacy of all phone calls and texts of the world’s billions of cellular customers vulnerable to being intercepted and redirected.
The flaws in the design make it possible for users of a cellular carrier in one part of the world to access information used by carriers on the same SS7 network anywhere else in the world with relative ease. The system was designed in the 1980s as a global network to be used by only a known few large mobile carriers and is now used by thousands of groups of all sizes and purposes around the world. The current system is known to have been exploited for locating users of the network and intercepting their communications. The system is planned to be replaced over the next decade. Learn more about the flaws with SS7
These design flaws make it possible for SMS messages containing passcodes to be intercepted, allowing the codes to be used to hijack services that send verification codes via SMS. Today these SMS codes are commonly used to login, reset passwords, and perform other sensitive actions with services like Facebook, Gmail, Twitter, and many others.
SMS messages are also often visible on the screen of mobile devices even when the device is locked, making stolen devices a greater security risk for your accounts. Fortunately, there are many other options available for both authenticating and using the cellular network securely.
In general, these cellular network vulnerabilities apply to communications sent to a phone number, such as traditional phone calls and SMS messages. Communications sent to and from secure accounts, like the instant messaging and voice calling with the Facebook Messenger service or Facetime and iMessaging from Apple, allow you to have more secure communication over an insecure cellular network.
The NIST guidelines recommend the use of secure apps or biometrics, like a fingerprint reader or increasingly popular facial recognition, to secure your account.
Many services like Facebook and Google offer secure authenticator apps to generate codes that do not use insecure SMS-based communication. Use of these authentication apps substantially improves the security of your accounts with little extra effort and is highly recommended.
Companies like Apple and Okta offer authentication via push notifications to mobiles devices, making securing accounts even easier and faster.
Google also recently released its own push notification authentication called Google Prompt, which is an excellent way to secure Google accounts.
Until a more secure global cellular network is designed and put in place, SMS authentication is not a secure way to authenticate and should be disabled. Authentication that relies on a mobile phone number of any kind should be decommissioned from use immediately and thoughtfully replaced with authentication options that offer better security based on each individual use case.
For help securing your enterprise with the latest innovative and reliable authentication methods, contact us.