RCS is being implemented dangerously, leaving users vulnerable to attack
Security experts from Security Research Labs (SRLabs) have warned that carriers are implementing RCS (Rich Communication Services which will supersede SMS) in ways that risk leaving users exposed to all manner of attack.
The German hacking research collective issues the stark warning that "RCS technology exposes most mobile users to hacking". This is not because of inherent problems with the messaging protocol, but with the ways in which it is being implement.
See also:
- Google is rolling out RCS messaging to Android users in the US
- Google is bringing RCS messaging to users directly instead of waiting for carriers
- Google Assistant is coming to the Messages app and RCS marches on
While SRLabs's full research is due to be presented at December's Black Hat Europe conference, the group has given a summary of its findings ahead of this. It found that RCS left users exposed to the risk of message interception, impersonation, tracking, and much more.
SRLabs writes:
The provisioning process for activating RCS functionality on a phone is badly protected in many networks, allowing hackers to fully take over user accounts by stealing RCS configuration files that include SIP and HTTP credentials.
The most widespread RCS client (Android Messages) does not implement sufficient domain and certificate validation, enabling hackers to intercept and manipulate communication through a DNS spoofing attack.
Some RCS core nodes do not effectively validate the user identity, allowing caller ID spoofing and fraud through SIP message injection.
Not all networks are vulnerable to the same types of attack because of the different ways in which RCS can be implemented.
While SRLabs has not gone as far as singling out problems with individual carriers' versions of RCS, Google's implantation in Android's Messages app is criticized. "The underlying issue is that the RCS client, including the official Android messaging app, does not properly validate that the server identity matches the one provided by the network during the provisioning phase. This fact can be abused through DNS spoofing, enabling a hacker to be in the middle of the encrypted connection between mobile and RCS network core".
We can expect more details to be reveal during and after Black Hat.
Image credit: ra2studio / Shutterstock