Let's Talk

Why was SMS never secure?

Updated Mon, January 30, 2023 12:54 EST

Mobile phones are always a weakness. Suppose anyone's device falls into another hand, and it is unlocked. In that case, chances are the other person can read all the messages stored on the phone. There is broadly the same thing when one's SMS getting read between the sender and the receiver at a point when the message is decrypted.  End-to-end encryption keeps the message safe and secure, which unfortunately does not happen in SMS. 

The Mobile operator can access SMS texts

The SMS messages one sends are not encrypted end to end. This means that the mobile service provider can see the message content that one sends and receives.  The messages are stored on the service provider system, similar to Facebook, which can see one's messages. 

Mobile service providers store the SMS content for a few days, but the Metadata is stored for a more extended period. The Metadata is the information such as the phone number it is sent and the time of delivery.  This type of record is usually used for legal evidence; for example, text messages are commonly used as evidence in divorce proceedings. 

The Ghost text controversy 

In 2019, many people complained that they had received strange SMS and out of context from family, friends, and other contacts.  The mobile service providers confirmed a technical glitch in telecom infrastructure, as old and delayed valentine's day messages were delivered inadvertently.  This incident led people to wonder whether SMS was secure enough. 

Unfortunately, SMS is not secure enough due to its multi-step process. The message from the first point to the second point is secure; from the sender to the first mobile tower, the message is encrypted but not after that. The mobile service provider keeps the message with it though the sender and receiver may delete it. This is where the risk of hacking is seen wherever there is a lack of encryption. 

Hackers look for weak points in the virtual end-to-end path of SMS between the sender and receiver.  The entire path consists of different networks, service providers, and computer systems that may have a vulnerability exploited by hackers. 

Texts are not stored for just a few seconds during which they can defend themselves from being stolen by hackers but stay for longer periods making odds in favor of the hackers. 

It is all about personal privacy 

An ordinary citizen is unlikely to text messages that contain military secrets or government secret policies, or any sensitive data that may be of use to a hacker.  But what if personal text exchanges that carry gossip about a boss, friend and family details get to read and forwarded to others. It would not be a good feeling. What about certain confidential personal information such as passwords or balances in Bank accounts or tracking down where one is.  The idea is not about the big secrets that need to be protected. It is all about protecting one's personal privacy. 

Why should one bother about SMS security otherwise?

There are many ways in which terrorists, hackers, undemocratic Governments can hack into the SMS system for their benefits. Many country's governments are hacking into systems using SMS. In 2019 Chinese state actors were involved in developing a Linux-based Malware that could steal SMS from the mobile operator’s network. The malware was installed in the Short Message Service Centre (SMSC) servers of the mobile operator network that handled SMS services.

The malware had a list of keywords that were of geopolitical interest to Chinese intelligence. The sponsored hacker group connected the keywords with the phone numbers which they wanted to track. They interacted with call details records and tracked suspected individuals who were of interest to the Chinese intelligence. This malware was later spotted on the network of a mobile operator by the US cyber-security firm FireEye.

Just like phishing, smishing is the terminology used for hacking SMS messages. One should never forget that they should never respond to call to action on SMS sent from unknown numbers. Fraudulent messages asking one to click on the URL may seem legit, probably from the courier service. One expects a parcel is where people let their guard down for a split-second, which scammers wait for. Hackers almost always prey on the “What if” fear factor of users. SMS from authorities, banks, or the courier is usually greeted with fear that there could be penal action if it is not responded to. Then there is the dilemma of the OTP received via SMS, which calls for the second-factor authorization linked to the mobile. 

How to protect yourself from unsecured SMS?

Reacting to any text message should be treated with a measured response. One must pay close attention to the character of the text, which generally reveals itself. For example, messages from unknown sources having intimate greetings such as "Hello Mate," which looks out of character or asking to click on an outdated company URL are treated with caution. If there is doubt, one can check the sender's official website without clicking on the SMS message on the phone. A bank may be offering a lucrative loan offer which may be cross-checked with the website or calling the company directly and verifying the authenticity of the loan offer.   

SMS has its simple advantages and worked well with the simple unsmart phone earlier for using test messages for communication. However, with Smartphones, both Android and Apple’s iOS have technology that can send longer texts with an attachment facility. The Apple iPhone has end-to-end encryption, and chats services like WhatsApp and Signal are secure.

Ideally, now with the availability of Smartphones, one needs to be smart to use any texting on WhatsApp only. There are some critical services that one still needs on the SMS platform even now. For example, getting security codes on SMS for authentication of the mobile number or codes from the app cab, flower services, card balance are still needed. This is perfectly ok as long as one is not using SMS for private messages. 

Most of the traffic traveling to and from one’s devices is now encrypted, but it only solves half the problem. The risk remains as long as you do not choose what to send or not on SMS.

Get the latest news, invites to events, and threat alerts

We’re remote friendly, with office in Miami: Miami

Get the latest news, invites to events, and threat alerts