SMS text messaging is a popular way to communicate in today’s smartphone-driven world. However, does this provide security risks to those that use it?
What Is SMS?
SMS stands for Short Message Service and its origin is near to the time of the founding of the mobile internet. It is based on MAP (Mobile Application Protocol) and SS7 (Signalling System Number 7). SMS started with 2G and 3G network technologies in the mid-1990s. Since then, it has become very popular around the world and is the most used data application of all mobile phone users.
However, SMS is an outdated form of text messaging and is not encrypted. So, it is possible messages can be viewed by anyone ranging from mobile carriers and government agencies to hackers.
SMS Key Holders
Data that travels to most user devices is encrypted, but that is not the problem. The keyholders are the ones that have access to the messages being sent and received on either end. The messaging app’s infrastructure cannot read the messages if the two (or more) parties doing the communicating are using end-to-end encryption.
SMS has several advantages over other forms of voice or text communications. It is convenient, simple, and allows users to send and receive plaintext short-form or long-form messages. It also includes the ability to send MMS attachments, and sensitive private data between commercial and private parties.
Business Uses Of SMS
SMS provides ways for small businesses to communicate and advertise to customers. People are more likely to read text messages than answer mysterious phone calls. Text messaging can also be faster than making a phone call or listening to a voice recording. So many businesses use text messages to efficiently communicate with their customers.
However, many people have received marketing text messages in the past and they can be distracting.
SMS Messaging Threats
#1. Threats From Companies
Some texting “threats” actually come from legitimate companies. For example, marketing companies today are attempting to track users and read their text messages.
Mobile Apps are also a potential threat. Users’ text message data from apps they use can be downloaded onto private servers, making them vulnerable to hacking attacks.
#2. SMS Can Be Intercepted
SMS relies on a somewhat antiquated architecture that exists within the world’s cellular networks. This makes SMS messages vulnerable to interception when they travel within a network. The connection between a person’s smartphone and the network is likely very secure, but the network itself can be attacked.
SMS is only secure when encrypted by network providers. However, most people do not have to worry about their text messages being intercepted and used in malicious ways.
#3. Some Messaging Apps Do Not Have End-to-End Encryption
While some messaging apps include end-to-end encryption, others do not. For instance, WhatsApp includes end-to-end encryption but some companies such as Facebook have not or will not put the effort and resources to add this, even though they advocate for it. The basic messaging apps included on most smartphones are not encrypted and can be read by service providers or government agencies.
Solution: Use Encrypted Texting Apps
Fortunately, encrypted SMS messaging apps exist and are becoming increasingly popular. Some of them include:
- iMessage (Apple)
Newer SMS messaging is encrypted by the service providers in the air. This ensures privacy and security by only allowing the person who receives your messages to be able to read them.
However, the government by law is allowed to read messages stored on the network provider’s databases. In fact, all governments are capable of surveilling cell phone traffic.
SMS is actually quite secure unless the phone gets out of your possession.
However, a serious bad actor can compromise your wireless security, regardless of how secure it may be.
#4. Stolen Smart Devices
If a person’s smart device or smartphone is stolen and unlocked, another person can read their messages. A person’s messaging app account can be cracked as well, which is similar to an end-point encryption break. However, most end-to-end encryption is not at a high risk of being broken into. It helps to have a form of 2-factor authentication enacted on your smartphone, such as Face ID and Touch ID combined with a strong password.
#5. iMessage Can Switch To SMS
On iPhones, there is a settings option to prevent iMessage from switching to SMS when a messaging failure occurs. Most people do not realize when this happens, as the iPhone does not provide any warnings. iPhone users can always receive and send SMS messages to non-iOS users. But, with the settings changed, they can be sure that when they use iMessage, their messages are end-to-end encrypted.
#6. Security Codes And SMS
One-time SMS security codes are usually sent by companies that know the user is likely the owner of the phone, which makes it somewhat more secure. However, if your phone is stolen and the thief has your email address, login passwords, or social security number, this security can be made meaningless. One way this kind of fraud occurs is through a “SIM swap”.
Receivers of SMS codes cannot be exactly sure who sends them most of the time, and this is an issue to be improved in the future.
#7. The Previous owner of Your Phone Can Read Your SMS Messages
If your phone was previously owned and the number is the same, then the previous owner may receive your SMS text messages on their new phone. This is a breach of privacy and can lead to some confusing incidents.
Messaging and settings information is stored on operating systems, phones, and provider’s systems until they are manually changed. The mobile phone number is the main way an intruder can gain access to messages, and this is available to anyone who can get it, by theft or through a phone’s previous owner.
Only phone numbers that are known by attackers can be effective in intercepting P2P and A2P messaging.
#8. Your iMessage Could Still Be Attached To An Old Phone
Ways this could happen:
- A form of addressing via web and wifi.
- Dynamic IP registration used by iMessage.
- The messaging account is still active for the previous user.
Taking out the old SIM card may not resolve this issue. Nor will disconnecting the old phone number. Removing the old messaging account’s connected number or owner will not be done automatically in some cases. Contacting the phone company tech support help desk can help resolve this issue if it happens. However, users will have to rely on the “kindness of strangers” that receive these mysterious and potentially sensitive text messages on their phones to not abuse them in any way.
The user of the phone may not be the actual owner. However, most phones are in the possession of the actual owner, so the likelihood this happens is small.
#9. Privacy Attacks
Text message content, if intercepted, can lead to serious privacy attacks. This text could include one-time passcodes and passwords that play a part of a multi-factor authentication process. Attackers can use this to intrude on a broad set of sensitive account information.
Messages need to be encrypted by the sender and only decrypted by the recipient device. It is also recommended to never send confidential information via text message.
#10. Network Operator Interception
The way SMS can be hacked is by breaking the GSM network within the local area of the phone while the SMS is sent. A person at the network operator can intercept the message as well. However, doing this could require special access and perhaps lots of resources to accomplish.
#11. Two-Factor Authentication Risks
Using SMS as a part of two-factor authentication on your accounts creates a small risk the access code could get stolen.
#12. SMS and Leaked Metadata
SMS messages also leak metadata, which are details of the message (but not the message itself) including names and phone numbers. Some messaging apps, such as Apple’s iMessage, store metadata about the people being contacted by the user. This could put them and the user at risk if the phone or app is ever cracked or opened by a government agency.
However, adding the use of two-factor authentication has made SMS and mobile devices more secure.
SMS: Android Vs iOS
Google’s Android and Apple’s iOS are the two most popular smartphone operating systems worldwide and each one has different security mechanisms. Apple’s iMessage has built-in end-to-end encryption and provides good security. Google’s Messages is not end-to-end encrypted, and it only protects data as it travels from the smartphone to the server. Each company, however, continues to address this issue as time goes on.
For iOS users, iMessage can provide a secure alternative to other messaging apps. However, only Apple users can use this which means that sometimes their desired reach goes beyond a network when it becomes unavailable. In these instances, iMessage will use SMS to send the message, but this then does not provide end-to-end encryption.
Facebook Messenger Lacks End-to-end Encryption
Facebook Messenger lacks strong end-to-end encryption. But this is perhaps to allow government agencies to spy on users or obtain data with a court warrant without having to go through strong or unbreakable privacy protections.
This makes Facebook Messenger perhaps not the most secure messaging tool. Other messaging apps are similar in that they may be weak in security to some extent, and there are subtle differences between them.
Google’s Messages Lacks Encryption
Google’s Messages relies on basic SMS architecture, even though it appears highly functional and integrated. Google is upgrading to a newer RCS messaging structure, but this lacks end-to-end encryption as well. Further changes by Google needs to be made to make messaging more secure for its users.
Never use SMS except for receiving security codes or messages about online services, smart taxis, goods deliveries, etc. Instead, choose a more secure method of communication.
Always use end-to-end encrypted messaging for all your texts. It is free with text apps and provides protection without too much extra hassle. In fact, most users will not notice the difference when using a messaging app such as WhatsApp versus their smartphone’s default SMS messaging.
Users need to be able to tell when their chosen messaging app turns off and switches to SMS, and change the settings accordingly to prevent this.
SMS texts are a convenient way to communicate in today’s smartphone-driven world. However, since there are security risks involved, users need to make sure to be aware of them.
For more information about social media privacy, read our post How Secure Is Facebook?