U.S. Wireless Carriers Finally Plug This Rampant SMS Hijacking Security Exploit
Cell phones are a necessity in day-to-day life, allowing communications and access to numerous websites and accounts. Thus, losing access to a phone or text messages could be as bad, if not worse, than losing a credit card. Even more concerning would be if a hacker could intercept texts without the phone's owner even knowing, and it was entirely possible with $16 and some knowledge of a target. Now, cell carriers must shake things up to prevent this problematic issue from happening again.
Earlier this month, Vice's Joseph Cox reported that a hacker had "swiftly, stealthily, and largely effortlessly redirected [Cox's] text messages to themselves," gaining access to apps such as Bumble, Postmates, and WhatsApp. Typically, this could be possible with a SIM card swap or some trickery and social engineering to transfer a phone number. In this case, the hacker, calling themselves Lucky225, spent $16 to use a service from the company Sakari, which allows businesses to run SMS marketing and mass messaging.
"I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," Lucky explains. The LOA or Letter of Authorization they refer to is simply a document stating the signer has permission to switch telephone numbers, but anyone can sign it, effectively making it only a promise.
Since then, AeriaLink, also known as iconnectiv Deliver, posted that "The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers." The message has since been taken down but was archived by Vice, who further elaborated that this is a "significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts."
It's obviously quite concerning that this could happen in the first place, given that there should be regulatory bodies like the FCC who should prevent this type of activity. Moreover, individual companies, including cellular providers, need to be better at self-governing and protecting customers. In any case, let us know what you think of this interesting situation in the comments below.