[LINK] Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16

Kim Holburn kim at holburn.net
Wed Mar 31 09:58:36 AEDT 2021 

Can this be done in Australia?

https://www.techdirt.com/articles/20210326/10043746497/journalism-forces-wireless-industry-to-belatedly-fix-text-message-flaw-that-let-hackers-access-your-data-16.shtml

>
>   Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That Let Hackers Access Your Data For $16
>
> <https://www.techdirt.com/search.php?tid=uses&search=Search>
>
> (Mis)Uses of Technology <https://www.techdirt.com/search.php?tid=uses&search=Search>
>
>
>       from the /don't-try-too-hard/ dept
>
> Tue, Mar 30th 2021 12:11pm — Karl Bode <https://www.techdirt.com/user/kbode>
>
> It's not sure why journalists keep having to do the wireless industry's 
job, yet here we are.
>
> Sometime around mid-march, Motherboard reporter Joseph Cox wrote a story 
> <https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber> explaining how he managed to pay a hacker 
> $16 to gain access to most of his online accounts. How? The hacker exploited a flaw in the way text messages are routed around the 
> internet, paying a third party (with pretty clearly flimsy standards for determining trust) to reroute all of his text messages, 
> including SMS two factor authentication. From there, it was relatively trivial to break into several of the journalist's accounts, 
> including Bumble, Whatsapp, and Postmates.
>
> It's a flaw the industry has apparently known about for some time, but they only decided to take action after the story made the 
> rounds. This week, all major wireless carriers indicated they'd be taking significant steps to the way text messages are routed 
> <https://www.vice.com/en/article/5dp7ad/tmobile-verizon-att-sms-hijack-change> to take aim at the flaw:
>
>     /
>
>     "The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their
>     respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is
>     "industry-wide" and "affects all SMS providers in the mobile ecosystem."
>
>     "Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result,
>     any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through
>     the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number."
>
>     /
>
> It's a welcome move, but it's also part of a trend where journalists making a pittance somehow routinely have to prompt an 
> industry that makes billions of dollars a year to properly secure their 
networks. It's not much different from the steady parade 
> of SIM swapping attacks that plagued the industry for years, only resulting in substantive action by the sector *after* reporters 
> began documenting how common it was (and big name cryptocurrency investors had millions of dollars stolen 
> <https://www.techdirt.com/articles/20190724/09244242642/court-will-decide-if-att-is-liable-cryptocurrency-theft-caused-shoddy-security.shtml>). 
> It was another example of how two factor authentication over text messages isn't genuinely secure.
>
> Or the SS7 flaw, which the industry has known about for years but didn't take seriously until journalists began documenting how 
> the flaw lets all manner of malicious private and government actors spy 
on wireless users without them knowing 
> <https://www.techdirt.com/articles/20190131/10492341502/ss7-cellular-network-flaw-nobody-wants-to-fix-now-being-exploited-to-drain-bank-accounts.shtml>. 
> US consumers pay some of the highest prices in the developed world for mobile data 
> <https://www.techdirt.com/articles/20181121/06413841083/us-has-some-most-expensive-mobile-data-prices-developed-world.shtml>. At 
> that price point, it doesn't matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws 
> *before* they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
>


-- 
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list