The Rich Communication Services (RCS) messaging standard is used by almost every phone carrier around the globe, which clearly explains its significance for mobile phone users. Now a set of vulnerabilities is threatening the service.
According to security researchers at SRLabs (Security Research Labs), the way phone carriers are implementing the RCS standard is flawed and the vulnerabilities can make users susceptible to all kinds of attacks such as call interception, text message, location exposure, and spoofing of phone numbers, etc.
This is indeed a concerning situation since large enterprises such as Vodafone are using flawed procedures and technology and are making hundreds of millions of people vulnerable to data exposure, stated SRLabs’, Karsten Nohl.
This standard is believed to be a better substitute for SMS but this research reveals that even the most modern protocols aren’t safe from exploitation if there is even the slightest glitch, making phone network security an issue of concern.
According to Verge, RCS standard is introduced to replace SMS and supports a number of new features that messaging clients like WhatsApp and iMessage offer such as typing indicators end-to-end encryption and read receipts.
is a cross-platform messaging standard that any phone carrier company can easily integrate.
It is worth noting that researchers didn’t identify any flaws in the RCS standard but the way carriers are implementing it while issuing SIM cards.
Active RCS deployments span 67 countries, a couple more are conducting trials (Credit: SRLabs).
Researchers assessed SIM cards issued by different carriers to reach their analysis. In one of the samples, they identified that wrongful implementation of the RCS standard allowed any application on the users’ phone to download the standard’s configuration file leading to data exposure. The app gained access to username and password and was able to manipulate text messages and voice calls.
In another SIM researchers noticed that the 6-digit code used by a phone carrier to authenticate a user’s identity was vulnerable to be exposed via a brute force attack launched by a third-party.
Types of attack that can be carried out using these flaws (Credit: SRLabs)
SRLabs didn’t specify the vulnerabilities in the way RCS standard is implemented or the carriers responsible for wrongly implementing it but the company did reveal that at least 100 phone carriers (majority from Europe) are implementing it including four of the major carriers in the US.
At the Black Hat security conference in London on Tuesday, German security consultancy SRLabs demonstrated a collection of problems in how RCS is implemented by both phone carriers and Google in modern Android phones.
Those implementation flaws, the researchers say, could allow texts and calls to be intercepted, spoofed, or altered at will, in some cases by a hacker merely sitting on the same Wi-Fi network and using relatively simple tricks. SRLabs previously described those flaws at the DeepSec security conference in Vienna last week, and at Black Hat also showed how those RCS hijacking attacks would work in videos like the one below:
SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks.
While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.
“You’re going to be more vulnerable to hackers because your network decided to activate RCS,” says Nohl.
“RCS gives us the capability to read your text messages and listen to your calls.
That’s a capability that we had with SS7, but SS7 is a protocol from the ’80s. Now some of these issues are being reintroduced in a modern protocol, and with support from Google.”
The RCS rollout still has a ways to go, and will continue to be a patchwork even with Google’s backing.
Some Android manufacturers use proprietary messaging apps as the default rather than the stock Messages app, and most carriers push their own versions as well.
The iPhone doesn’t support it at all, and Apple has given no indication that it will.
But as RCS rolls out more broadly, its security issues merit attention—especially since it’s those implementations that create the problems in the first place.
“If you put out a new technology for a billion people, you should define the whole security concept.”
KARSTEN NOHL, SRLABS
Using a different technique, the researchers showed how an Android phone using RCS can be vulnerable to a man-in-the-middle attack. Whether it’s a hacker controlling a malicious Wi-Fi network or an ISP or nation-state spies with access to an ISP’s servers, an attacker can alter the domain name system request that the phone uses to find the RCS server that acts as the relay between senders and recipients of a message. SRLabs found that while Android’s RCS-enabled messaging app checks to see if the server the phone is connecting to has a valid TLS certificate—in the same way your browser checks the validity of an HTTPS website—it will accept any valid certificate, even for the attacker’s server.
It’s like a security guard who only checks if someone’s ID matches their face, rather than if their name is on the approved list in the first place. “It’s a really stupid mistake,” adds Nohl.
The result is that the man-in-the-middle can intercept and alter messages at will, as shown in this video:
In some cases, carriers try to guard against that attack by sending a one-time code to the user’s device that they have to enter. But SRLabs found that some carriers failed to limit the number of tries at guessing that code; a hacker can try every possible number in just five minutes. “In five minutes we have your configuration file, and forever after we can listen to all your phone calls and read all your texts,” Nohl says.
All of these attacks become even more serious when RCS messaging is used as a second factor in two-factor authentication. In that case, RCS interception could allow hackers to steal one-time codes and gain access to other, even more sensitive accounts like email, as shown in this video:
The GSMA claimed that it already knew of the issues SRLabs highlighted, and that “countermeasures and mitigation actions are available” for carriers to fix their RCS flaws. Nohl countered that those fixes haven’t been implemented yet for any of the issues SRLabs presented on at Black Hat.
The GSMA further argued that SRLabs had pointed out problems with the implementation of the RCS standard, rather than the standard itself. “The findings highlight issues with some RCS implementations but not every deployment, or the RCS specifications themselves, are impacted,” the GSMA statement reads.
Nohl argues, however, that the existence of so many flaws in the standard’s implementations is in fact a problem with the standard. “If you put out a new technology for a billion people, you should define the whole security concept. Instead RCS leaves a lot undefined, and telcos make a lot of individual mistakes when trying to implement this standard,” Nohl says. “This is a technology being introduced quietly to over a billion people already. And it exposes them to threats they didn’t have to worry about previously.”
