Researchers from universities in New Mexico, Arizona, and Louisiana, along with professionals from Circle, have raised alarms regarding vulnerabilities in SMS communications, asserting these weaknesses are easily tested, verified, and exploited on a large scale. Their findings underscore that the existing threat landscape could be exploited with consumer-grade technology and fundamental to intermediate web security knowledge.
SMS messages are inherently sent without encryption, leaving them susceptible to interception. In recent years, various studies have revealed alarming instances of exposed databases containing previously sent SMS messages. These databases often include authentication links and sensitive personal information, such as names and addresses. Notably, a significant breach identified in 2019 highlighted millions of messages exchanged between a business and its customers, which contained usernames, passwords, financial applications from universities, and marketing messages with discount codes.
Despite ongoing public awareness regarding SMS insecurities, the use of unsecured messaging continues unabated. The researchers acknowledged an ethical limitation that hindered their ability to capture the extensive scale of these vulnerabilities, as any comprehensive investigation would necessitate circumventing access controls. Instead, they focused on public SMS gateways, which are platforms allowing users to receive texts without disclosing their personal phone numbers. These platforms often operate on an advertising-based model.
While this approach provided a narrow perspective, it enabled the team to gather critical insights about SMS-delivered authentication messages. Over the course of their investigation, the researchers identified an astonishing 322 million unique URLs from more than 33 million SMS texts directed at over 30,000 distinct phone numbers. The analysis revealed significant security and privacy risks for recipients of these messages. Specifically, SMS communications originating from 701 endpoints associated with 177 different services exposed crucial personally identifiable information.
The underlying vulnerabilities stem from inadequate authentication mechanisms, where tokenized links are used for verification. Consequently, anyone possessing these links can access sensitive private information, including social security numbers, birthdates, and banking credentials. This indicates a severe lapse in defending against potential exploitation of SMS as a communication channel.
From a cybersecurity standpoint, the findings indicate various MITRE ATT&CK tactics that may have been utilized in exploiting these vulnerabilities, including initial access through compromised SMS messages, as well as persistence via ongoing access to sensitive user data. Such insights are pivotal for business owners who must remain aware of the ongoing risks associated with SMS communications and the broader implications for data security and clientele trust. The implications of such vulnerabilities extend beyond individual users, posing a considerable risk to organizational security frameworks.
