Login | December 16, 2017

Phones are extremely vulnerable to hacks, too

Technology for Lawyers

Published: November 17, 2017

You’ve spent enormous time and money securing your data from intruders. So now your computer systems are safe, right?

Well, you’re not home free yet.

There has been an easily-exploitable vulnerability in phone systems for many years and hackers have been exploiting it to hack phones through text messaging. This hack compromises things like two-factor authentication, bank accounts, bitcoin wallets, whatever, and could even be used to invade your computer data.

Phishing expeditions through text messaging is now being called “smishing.” It’s a thing. I get about one a week, and so do you. In addition, hackers who know how to exploit cell system vulnerabilities can read your texts, listen to your phone and track your location. Pretty cool, eh?

Technically, the weakness is in what is called the Signaling System Number Seven, or SS7, which is the worldwide cell phone infrastructure that connects one cell network to another (it goes by different names in different countries). The vulnerability is “a feature, not a bug” of every cell phone service on the planet. The cell companies know about the vulnerability and have for years (allegedly) but (allegedly) refuse to fix it. This vulnerability, which is at least being “monitored” by phone companies, was demonstrated on 60 Minutes in 2014. But it’s still there.

Anyway, obviously there are a lot of potential problems here but I want to point out one in particular.

Security experts will rightly advise setting up two-factor authentication for emails and data transfers. The problem here is when a text message (SMS) is used to transmit the second factor. If that SMS was hijacked to begin with, then that data transfer has also been hijacked.

So—among other outlets, The Verge is calling on everyone to no longer use SMS in two-factor authentication. They recommend switching to a secure, app-based SMS service, and then revoking the option for SMS two-factor and account recovery entirely.

Moving on to another part of this topic—in general, do not open or reply to any text that includes a link from an unknown source (which is smishing). Immediately delete any such text and mark as spam.