This Article Covers New ‘ RCS Standard ‘ SMS Alternative Exposes Users to Security Threats!
Replacement of the regular SMS by the RCS or Rich Communication Services makes users vulnerable to text-based attacks, location tracking, call interception, and more according to new research. RCS standard (Rich Communication Services) is a replacement for SMS with functions such as read confirmations, the ability to send media, etc.
Although the new SMS standard is not inherently flawed, researchers at SLabs state that carrier networks expose users to several security threats because they are implementing RCS on a large scale. Because there is no uniform standard, large telecom companies can use it differently and make mistakes.
What Is RCS?
RCS is a protocol that will soon replace the standard SMS. Although it originated in 2007, we barely recognized it until 2018 when Google announced that it is working with major providers to bring the RCS protocol to Android devices. With the new standard, users can start a group chat, send high-resolution images, audio – mainly all the functions of popular chat services such as iMessage and WhatsApp.
What’S The Problem?
For the research, the SLabs team took sample SIM cards from different providers and searched for RCS-related domains. The o find every vulnerability.
The researchers discovered problems in how telecom sends the RCS configuration files to devices. For example, a server provides the exact configuration file by identifying the IP addresses.
Karsten Nohl of SLabs said that any app could request the file, with or without permissions, because they also use the IP address. “So now every app can get your username and password for all your text messages and all your voice calls.”
The researchers also found security breaches in the authentication process. For example, a telecom sends a unique authentication code to verify the identification of the RCS user. Because the carrier gives an ‘unlimited number of attempts’, bad actors can bypass authentication with unlimited attempts.
Response From Network Providers
When asked to comment, Vodafone assured users that it would take security measures to protect the RCS services. In the meantime, AT&T and Sprint focused their concerns on the GSM Association (a trade organization for telecommunications)
GSM told Vice that although they appreciate the efforts of SLabs to the public, the security issues; however, the study includes “no new vulnerabilities” that the body was unaware of.
The SLabs researchers will report their findings at the Black Hat December conference in Europe.