Skip to main content

Bad RCS implementations are creating big vulnerabilities, security researchers claim

Bad RCS implementations are creating big vulnerabilities, security researchers claim


Carriers are creating problems for users

Share this story

Illustration by Alex Castro / The Verge

Security researchers at SRLabs have found a number of vulnerabilities with the way carriers around the world are implementing RCS, the new messaging standard designed to replace SMS, Motherboard reports. In some cases, these issues could compromise a user’s location data, they could allow their text messages or calls to be intercepted, or they might allow their phone number to be spoofed.

One issue identified on an unnamed carrier’s implementation could allow any app on your phone to download your RCS configuration file, for example, giving the app your username and password and allowing it to access all your voice calls and text messages. In another case, the six-digit code a carrier uses to verify a user’s identity was vulnerable to being guessed through brute force by a third-party. These problems were found after researchers analyzed a sample of SIM cards from several different carriers.

“All of these mistakes from the 90s are being reinvented, reintroduced”

RCS is a new messaging standard that’s designed to one day replace SMS as a means of sending text messages. It supports many of the features introduced by modern messaging clients like iMessage and WhatsApp including read receipts and typing indicators (although not end-to-end encryption), in a cross-platform standard that different companies can integrate with. The researchers did not identify any problems with the standard itself; it’s the way carriers are rolling it out that’s the problem.

SRLabs didn’t share which security holes were found with which carriers, but noted that the standard is being implemented by at least 100 carriers around the world, including the four US majors. “We find that is actually a step backwards for a lot of networks [compared to SMS],” Karsten Nohl from SRLabs told Motherboard. “All of these mistakes from the 90s are being reinvented, reintroduced.”

When contacted for comment, a spokesperson for the trade body that represents network operators, the GSMA, told Motherboard that researchers from SRLabs will be presenting their findings to the organization next week, and that they believed their are countermeasures available to fix the issues they’ve identified. “We are grateful to the researchers for allowing the industry the opportunity to consider their findings. The GSMA welcomes any research that enhances the security and user confidence of mobile services,” the spokesperson said.

Despite its advantages over SMS, RCS has been slow to roll out. The standard was announced last year, but it wasn’t until this month that Google started making it the primary texting platform for Android Messages, and that change won’t affect the best-selling Android phone manufacturer in the US, Samsung, because by default it offers its own messaging client. AT&T, Verizon, T-Mobile, and Sprint are also planning on offering support via their own texting app next year. Meanwhile, Apple has declined to comment on whether it will support the standard.

SRLabs will be presenting its findings at the Black Hat Europe conference in December, after showing off some of its work at the DeepSec conference today.