SMS. How is it made and why you don’t need it in your life?
Short message service
Texting’s quick, it’s easy. You can send a million messages because every major carrier has an unlimited messaging plan. And if you don’t want to use data, you can send SMS messages instead of app-based messages. An average 25 y.o. sends 148 SMS a day. And 6 billions messages a day are send only in U.S. That’s 180 billion each month and 2.27 trillion each year. Globally, 4.2 billion people are texting worldwide. No doubt you’re one of ‘em—which means you fire off approximately 67 texts a day. But how safe is it actually?
If you thought that your recipients are the only ones privy to the information contained within, you are fucking wrong. The truth is that text messages aren’t secure, and that insecurity opens you, your friends, family, and business up to risk. And it isn’t even your fault; the default text messaging services many of us use are old and vulnerable to a number of different attack scenarios. While carriers are on a path to update it, it might be too little, too late.
So that you are more aware with your privacy, let’s try to understand the mechanics of SMS and how do they work at all.
SMS is the oldest and one of the most widely used text messaging services today. It includes MMS (Multimedia Messaging Service) which enables SMS users to send multimedia content like images, audio, and visual files. Both SMS and MMS are sent using cellular networks and thus require a wireless plan and a wireless carrier. If you send a traditional “text” message on your phone, it’s considered an SMS. When you send that gif, you’ve just sent an MMS.
When sending a text message, it “flies” to the nearest cellular tower over a pathway called the control channel, and then into an SMS center (SMSC). The SMSC resends that message to the tower closest to the recipient, and then it goes to their phone. SMS also sends data associated with the message, including the length of the message, format, time stamp, and destination. For instance of the 109 text messages I sent yesterday, for example, 15 of them were SMS messages sent to people who have phones on other carriers, 70 were sent through iMessage, and the rest were sent via OTT applications.
A logical question would be: “What are the OTT applications and where can you find them?” That’s actually an easy one. WhatsApp, iMessage, Facebook Messenger, WeChat, and other messaging apps are grouped together as OTT applications and are also considered texting services. OTT stands for “Over the Top”; as a group, these apps are different than SMS services because they use internet protocols (IP) rather than cellular networks to transmit messages. This means these messages are sent through an internet connection (aka WiFi) or via mobile internet connection.
But the OTT apps work in a way that’s different than SMS because they send encrypted messages that only you and the person receiving your message can access. That means the messaging service doesn’t know what you’re sending, and neither does anyone else who might intercept that web traffic.
When considering messaging services, people often have to choose between sending via SMS or sending via an OTT service. If you’ve traveled extensively outside the U.S, you’ve probably noticed that people in many other countries prefer WhatsApp over the text messaging. SMS is the most ubiquitous, but least secure messaging medium. OTT apps require you to be using the same platform as the person you’re messaging, which can be annoying. Maybe your friends don’t want to download another app just for texting, but continuing to use SMS could put you at risk because it doesn’t have end-to-end encryption.
So which one of them is better? As OTT apps cannibalize the SMS market, carriers have become incentivized to improve SMS services in the form of Rich Communication Services (RCS). RCS theoretically combines the best features of OTT apps into one protocol that’s universal across carriers and devices. This new protocol will replace SMS and has been a work in progress for more than a decade. Approved by the GSMA in 2008, RCS was fully adopted in 2016. Since then, the RCS Universal Profile has been pushed out with strong support and back-end services from Google (which acquired Jibe) with the goal of providing consistent interoperable messaging services across all devices and networks. This not only helps create a global standard, but also improves Android capacity, which is notoriously more vulnerable to attacks.
RCS has the ability to:
- Integrate with contact apps to see who supports the service.
- Create group chats.
- Send video and audio messages.
- Send hi-resolution images up to 10 MB in size .
- Share location.
- Receive read receipts.
- See when people are replying in real time.
- Default to SMS or MMS when the recipient doesn’t support RCS.
- See live updates about upcoming trips and boarding passes.
However, while RCS doesn’t have end-to-end encryption, it does have the standard security protocols of Transport Layer Security and IPsec.
RCS doesn’t use cellular connection, but instead relies on a data connection and is both hardware- and platform-agnostic. Sprint, US Cellular, and Google Fi have implemented RCS fully across their networks and all devices. Other networks are implementing it against specific devices with broader plans to roll out further through 2020. And, moving forward, all devices should support this feature out of the box.
Remember: Text messages are sent in a multi-step process. While your message might be encrypted from your phone to the first cell tower, it’s not encrypted after that. And your SMSC may keep the message even if both the sender and recipient delete it. Whenever a message is encrypted, it can be read by the mobile service, hackers, or governments.
Because of the lack of encryption, hackers can search for weak points anywhere along the virtual path between the sender and receiver, which includes a ton of different network devices and computing systems at many different providers—only one of which needs to be exploited via technical vulnerability, misconfiguration, social engineering or insider attack. Because the messages are stored on these systems longer than necessary, it increases the window of vulnerability through which the hacker can attack. Rather than having to defend a system for a few seconds to prevent a hacker from stealing a message, it needs to be protected for days, weeks, months. These odds favor the hacker.
It’s unlikely that you’re using your cell phone to text about military launch codes, top secret government business, or anything else that’s of much use to the average hacker. But what about a text exchange about a friend’s decision to leave their spouse, your boss’s cancer scare, or your little sister’s decision to switch jobs? Would you want that information to get disseminated somewhere else? What about information about your children, your pets, or a naked selfie that could help someone track where you are, guess your passwords, or find the tattoo on your left thigh that’s also your bank account password?
It’s not always about protecting big secrets—it’s about ensuring personal privacy for everyone involved. There are ‘0day’ bugs on the market that can remote access your phone without you having to click on any sort of link or do anything at all. Text message hacks are happening everywhere, from middle schoolers hacking their enemies to steal their pictures to nation state level attacks.
Given the propensity for and variety of attacks, it makes sense to consider alternative services that offer end-to-end encryption. Popular secure apps include:
- Apple’s FaceTime
- Apple’s iMessages
The truth is we all need to use an extra dose of common sense. When evaluating a message consider the source of the message. If you don’t recognize the number, confirm the context of the message elsewhere. For example, if your bank texts you, call the customer support number to verify the message you received. Be cautious of any link in the text message. This is a prime outlet for distributing malicious URLs. Finally, if the text sounds too good to be true, it probably is.