Can this be done in Australia?
https://www.techdirt.com/articles/20210326/10043746497/journalism-forces-wireless-industry-to-belatedly-fix-text-message-flaw-that-let-hackers-access-your-data-16.shtml
Journalism Forces Wireless Industry To Belatedly Fix Text Message Flaw That
Let Hackers Access Your Data For $16
<https://www.techdirt.com/search.php?tid=uses&search=Search>
(Mis)Uses of Technology
<https://www.techdirt.com/search.php?tid=uses&search=Search>
from the /don't-try-too-hard/ dept
Tue, Mar 30th 2021 12:11pm — Karl Bode <https://www.techdirt.com/user/kbode>
It's not sure why journalists keep having to do the wireless industry's
job, yet here we are.
Sometime around mid-march, Motherboard reporter Joseph Cox wrote a story
<https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber> explaining how he managed to pay a hacker
$16 to gain access to most of his online accounts. How? The hacker exploited a flaw in the way text messages are routed around the
internet, paying a third party (with pretty clearly flimsy standards for determining trust) to reroute all of his text messages,
including SMS two factor authentication. From there, it was relatively trivial to break into several of the journalist's accounts,
including Bumble, Whatsapp, and Postmates.
It's a flaw the industry has apparently known about for some time, but they only decided to take action after the story made the
rounds. This week, all major wireless carriers indicated they'd be taking significant steps to the way text messages are routed
<https://www.vice.com/en/article/5dp7ad/tmobile-verizon-att-sms-hijack-change> to take aim at the flaw:
/
"The Number Registry has announced that wireless carriers will no longer be
supporting SMS or MMS text enabling on their
respective wireless numbers," the March 25 announcement from Aerialink,
reads. The announcement adds that the change is
"industry-wide" and "affects all SMS providers in the mobile ecosystem."
"Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten
text-enabled wireless numbers industry-wide. As a result,
any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled
as BYON no longer route messaging traffic through
the Aerialink Gateway," the announcement adds, referring to Bring Your Own
Number."
/
It's a welcome move, but it's also part of a trend where journalists making a pittance somehow routinely have to prompt an
industry that makes billions of dollars a year to properly secure their
networks. It's not much different from the steady parade
of SIM swapping attacks that plagued the industry for years, only resulting in substantive action by the sector *after* reporters
began documenting how common it was (and big name cryptocurrency investors had millions of dollars stolen
<https://www.techdirt.com/articles/20190724/09244242642/court-will-decide-if-att-is-liable-cryptocurrency-theft-caused-shoddy-security.shtml>).
It was another example of how two factor authentication over text messages isn't genuinely secure.
Or the SS7 flaw, which the industry has known about for years but didn't take seriously until journalists began documenting how
the flaw lets all manner of malicious private and government actors spy
on wireless users without them knowing
<https://www.techdirt.com/articles/20190131/10492341502/ss7-cellular-network-flaw-nobody-wants-to-fix-now-being-exploited-to-drain-bank-accounts.shtml>.
US consumers pay some of the highest prices in the developed world for mobile data
<https://www.techdirt.com/articles/20181121/06413841083/us-has-some-most-expensive-mobile-data-prices-developed-world.shtml>. At
that price point, it doesn't matter how clever these attacks are. Telecom giants should be getting out ahead of security flaws
*before* they become widespread problems, not belatedly acting only after news outlets showcase their apathy and incompetence.
--
Kim Holburn
IT Network & Security Consultant
+61 404072753
mailto:[email protected] aim://kimholburn
skype://kholburn - PGP Public Key on request
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
