Motherboard reported on a Yet Another Gaping Security Whole in using mobile phone numbers for authentication. The headline put it very succinctly: A Hacker Got All My Texts for $16. The article went on to explore how an Adtech company called Sakari eliminated all of the hard work of social engineering or bribing minimum wage slaves at a local carrier’s retail store usually required swap a SIM. Sakari was offering something akin to Hacking as a Service; start a free trial, choose a target, check a box that says you have a letter of authorization and you could immediately start pillaging some poor victims virtual life.
The hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.
“Welcome to create an account if you want to mess with it, literally anyone can sign up,” Lucky225, the pseudonymous hacker who carried out the attack, told Motherboard, describing how easy it is to gain access to the tools necessary to seize phone numbers.
The latest vulnerability offers yet another chance to remind our readers that phone carriers never agreed to protect your privacy or your security and access to a phone number absolutely cannot be relied upon to secure your access to 3rd party accounts. This vulnerable, semi-public number implausibly remains the default identity document for many services. Krebs on Security has a great piece analyzing how we got to the point that ” where a single, semi-public and occasionally transient data point like a phone number can unlock access to such a large part of our online experience.:
Services large and small have come to rely on sending SMS to a phone demonstrate control of a device and as the sacred source of trust for authentication. When this fails, they can point their finger at the Telcos and do their best Kelly Ann Conway by blaming someone else for the mess they created.
A WhatsApp spokesperson told Motherboard in a statement that “With so many apps relying on SMS codes, it’s critical that mobile carriers do more to protect their customers privacy and security.” What they didn’t say is “Internet services and publishers decided to pretend sending one time access codes by SMS is secure so now the industry needs to take one of the oldest and most fragmented pieces of the legacy communications stack and secure it against all attacks so we don’t have to build a real solution.
Telco’s are an easy target, so politicians jump on as well,
“It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed,” Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack.
If you are going to build authentication systems which rely on a 3rd party to protect users’ identity, maybe you should choose a 3rd party who agrees it is their job.