The SMS successor RCS (Rich Communications Services) also distributes classic text messages and calls over the Internet. Users do not need to register for the service, they will receive a configuration file with a password from their mobile service provider in the background. But even attackers can get to this file and then read the SMS and phone calls from unsuspecting users or send on their behalf – forever. Because the password assigned in the configuration file can not change the users. Telekom and Vodafone are already using the system in Germany, while Telefónica has already set it up but not yet in use.
Security researchers Luca Melette and Sina Yazdanmehr from the security firm SRLabs show several ways in which attackers can access the configuration file. An attacker only has to get to the file once to be able to access the user's SMS permanently via the Internet. Attackers could even choose per SMS if they sent an acknowledgment to the mobile phone company that they had received the SMS or not, explains Karsten Nohl of SRLabs Golem.de.
If the attacker sends the acknowledgment, the user never gets to see the SMS, he does not send it, the SMS is delivered to the user in the classic way. In this way, unnoticed, for example, two-factor authentication can be leveraged via SMS or mTANs can be tapped by banks. In addition, many apps and messengers are authenticated via the phone number, and several Internet services make it possible to reset the password via SMS. For example, e-mail accounts can be taken over – and additional services via the e-mail account.
Tapping the configuration file
The security researchers at SRLabs have developed several attack methods to access the configuration file. Some mobile phone companies supplied the configuration file only to the IP address assigned to the smartphone, explains Nohl. However, this allows any app on a smartphone to access the configuration file. "If the Internet connection is shared, for example via a mobile hotspot, all devices in the hotspot will also receive the same IP address – and can thus access the configuration file" says Nohl.
In one of the 80 tested providers worldwide, it was even possible to crack the only six-digit password by brute force attack, so the testing of all password combinations. In addition to brute-force protection, security researchers recommend authentication via the SIM card and not by assigning a password.
Security problems for one billion users
"It's often not considered that 4G and 5G do not support classic phone calls anymore," explains Nohl. With RCS SMS and telephony were ported to an internet connection. The technology is currently leading to security problems for the approximately one billion users worldwide, explains Nohl.
Only in September two attacks on SIM cards were known, with which with prepared SMS unnoticed malicious code can be executed on the SIM card. This can be used, for example, to read out the location of the phone and send it to an attacker via SMS. However, SIM cards in Germany, Austria and Switzerland should not be affected.