A recent investigation by VICE found a major loophole in telecommunications infrastructure. Joseph Cox, the investigative reporter at the center of the story enlisted the help of a friendly hacker to report on a service called Sakari, a company that streamlines mass SMS messaging for businesses. The hacker was able to use the service to reroute all of Cox’s text messages to the hacker’s device, and Cox didn’t receive a single notification about the theft of his number. He just stopped receiving text messages.
Sakari offers their SMS marketing services for $16, which is their cheapest plan. It requires the client to add a phone number associated with the account. This number is then used to send and receive text messages, even if that phone number doesn’t actually belong to the company. Sakari does mandate that users sign a Letter of Authorization (LOA) that requires the user to agree that they won’t “conduct any unlawful, harassing, or inappropriate behavior with the text messaging service and phone number,” but Sakari does not send any sort of message to the number in question to confirm this consent.
The hacker explained their process as follows: “I used a prepaid card to buy [Sakari’s] $16 per month plan and then after that was done it let me steal numbers just by filling out the LOA with fake info.” The use of prepaid cards makes the perpetrators of these hacks even more difficult to track down.
Once the hacker gains access to all the messages being received to a certain number, they can easily find their way into accounts like WhatsApp and Postmates, where the authorization for access depends only on a phone number or a code sent to that number.
A new hacking frontier
This hack differs from the more common SIM jacking because unlike SIM jacking, from the perspective of the person whose phone number was just stolen, their phone appears completely normal. Another aspect of this hack is that the specific carrier for a phone number is irrelevant. The ease with which this hack can be successfully executed exposes major flaws in telecommunications infrastructure and a lack of regulations around commercial SMS services.
After Cox reached out to Sakari, the company implemented a security feature where the newly subscribed phone number receives an automated call and has to report back to Sakari with a security code in order for their account to be fully activated. However, Sakari is only one example of this type of SMS tool. According to one of Cox’s sources, it took only two minutes to find another service that would allow the hack after getting cut off from a different provider.
In a statement given to VICE, Eva Galperin, the director of cybersecurity at Electronic Frontier Foundation, an internet civil liberties organization, says that this type of hack “underscores the importance of moving people ... off of ‘login with your phone number’ solutions.”
Policy changes as a result
In a March 25 response to Cox’s exposé, the communications company Aerialink, which routes text messages, stated, “Wireless carriers will no longer be supporting SMS or MMS text enabling on their respective numbers.” The new protocol is “industry-wide” and “affects all SMS providers in the mobile ecosystem.”
Not only does this change affect all major carriers, but it will also change the entire future of companies like Sakari that depend on enabling text messages to run the services they offer.
While it’s common for the telecommunications industry to face investigations into ways it may be misusing user data, it’s less likely that these services face interrogation into ways they could be abused by hackers and fraudsters. Cox’s article exposes a vital flaw in these regulations, but it also highlights the meaningful changes that can come about as a result of thoughtful anti-fraud investigation.