American mobile operators have begun to introduce the wrong implementation of the standard RCS to replace SMS. Because of this, user data is at risk of listening and interception. Vice-president reported on the unsuccessful implementation of RCS with reference to the study of the cybersecurity company Security Research Labs (SRLabs).
According to Karsten Nohl, SRLabs employee, large companies like Vodafone have begun to deploy technology without demand or notice that will “endanger hundreds of millions of people.”
For research, SRLabs tested the SIM cards of several operators and checked their interaction with RCS-compatible domains. The company did not call the RCS standard itself vulnerable, but its implementation by different operators. Due to the fact that RCS is not unified, providers have found independent ways to implement it.
It seems that at the moment everyone is implementing it incorrectly, but in different ways.
The problems of some operators were how they send RCS configurations to subscribers. In one case, the server provided a file for a specific device, identifying it by its IP address. According to the researchers, because of this, any application on the smartphone can request an RCS configuration and get a login and password for all text messages and calls on the device.
Typically, RCS is an application in the phone through which you need to enter the network with a username and password. In one case, the operator sent a message with a six-digit code to confirm the authorization of the RCS user and gave an unlimited number of attempts to enter data. According to Zero, it was possible to conduct a million attempts in five minutes.
All of these errors came from the 90s and are now reinvented and re-introduced. Now they affect more than a billion people.
SRLabs noted that at least 100 mobile operators around the world have implemented RCS, including AT&T, T-Mobile, Sprint and Verizon. Researchers did not specify the specific vulnerabilities, they will report on them at the Black Hat conference in Europe in December 2019 and partially tell about the vulnerabilities at the DeepSec event on December 6.
Verizon and T-Mobile did not respond to Vice’s request for comment. Vodafone representatives said they were aware of SRLabs research and had already taken a number of measures to protect their RCS implementation.
AT&T and Sprint sent journalists to the GSM association. There Vice told that they already know about RCab problems from SRLabs and explained that not all protocol implementations are affected.
RCS is a new standard that operators have begun to deploy to replace SMS. It supports more communication options, including transferring photos, group chats, and file transfer.