SMS redirection attack would allow hackers to steal authentication messages

Experts report that major telephone operators in the U.S. have implemented some modifications in the way SMS messages are routed as a method to prevent the exploitation of a flaw that would allow threat actors to arbitrarily redirect text messages.

According to the report, presented by Motherboard, operators decided to implement these changes after receiving an analysis of how easily these messages can be redirected and stolen information used to access users’ social media accounts, email, or online banking platforms.

As part of the testing, Motherboard paid just about $15 to a hacker to redirect some SMS messages using the tools of Sakari, a company specializing in mass marketing.  

Sakari offers a text redirection tool from a company called Bandwidth, which in turn is supplied by another company called NetNumber, creating a complex network fabric that has only contributed to the constant emergence of security flaws; this was leveraged by the Motherboard hacker to access Sakari tools without requiring authentication of any kind.

It should be mentioned that Sakari is mainly used for companies to import their own phone number and thus send SMS messages in bulk. An attacker could abuse this platform by simply importing a phone number and gaining access to text messages stored in Sakari.

Aerialink, a communications company that helps route text messages, mentioned that wireless carriers no longer support enabling SMS or MMS on wireless numbers, as it affects all SMS providers in the mobile ecosystem. In theory, this should prevent the exploitation of the failure reported by Motherboard.

Experts are unclear whether this attack has been exploited in real-world scenarios, although they point out that exploitation is relatively trivial, unlike other mobile hacking variants such as SIM sharing.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.