Monday, March 15, 2021

SMS Rerouting Vulnerability

Joseph Cox (tweet):

I hadn’t been SIM swapped, where hackers trick or bribe telecom employees to port a target’s phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.


While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.

But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.


As for how Sakari has this capability to transfer phone numbers, Nohl from Security Research Labs said “there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs.”


Horsman added that, effective immediately, Sakari has added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number.


Update (2021-03-19): Bruce Schneier:

Don’t focus too much on the particular company in this article.

Update (2021-05-24): Juli Clover:

Major carriers in the U.S. like Verizon, T-Mobile, and AT&T have made a change to how SMS messages are routed to put a stop to a security vulnerability that allowed hackers to reroute texts, reports Motherboard.

1 Comment RSS · Twitter

And then under that article, this one:

And no doubt under that one, another. It’s Holes All The Way Down, man!

What’s shocking is not that such holes exist but that this is our Standard Operating Procedure, largely accepted and normalized by almost every government, business, and individual on the planet. There is a global culture at all levels that says liabilities are always Somebody Else’s Problem. (See Also.) And even when it proves to be our problem too, it often elicits barely a shrug. Whatever happened to World in Action?

Yet again I’m reminded of Hoare’s not-nearly-famous-enough dictum:

There are two ways of constructing a [system]: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

Hoare may have been talking about software design in particular (looking at you, ALGOL68) but it applies equally well to just about any human-constructed system.

Our ancestors were ignorant and superstitious because relable knowledge and epistemological tools to acquire and test that knowledge did not yet exist.

Today we’re ignorant and superstitious because understanding our world is too much damned work, and it’s much easier just to assign it all a significance factor of zero and get back to watching funny cat vids on YouTube. For Ignorance Is Bliss.

This is not an argument against human specializations, mind, nor casual dismissal of essential complexity as mere inconvenience. We wouldn’t have come even this far if we hadn’t made some progress in managing those. But if we can’t figure how to build less brittle systems for running societies day-to-day, which don’t rely on the wings of angels to hold them aloft, how the Hell are we ever going to persist as a species when the truly #HardProblems such as climate change and fascistic tribalism really kick off?


Aaand at that, time to get back to trying to grok the minor atrocities that are Oauth2 and Amazon’s SP-API. Pity me.

Leave a Comment