iMessage is one of the best platforms that Apple ever made — an SMS replacement that might do more for keeping iPhone users loyal to iOS than any other app. It works across devices (iPhone, iPad, and Mac), it’s encrypted, and it seamlessly handles the transition between regular texting and the rich instant messaging experience we all want. Best of all, carriers have no say in or control over iMessage.
This brings us to Android, where Google has tried and failed for years to find a decent iMessage alternative. The best chance of that ever coming to pass is RCS (Rich Communication Services), which Google and carriers want to use instead of SMS. Unfortunately, not only is RCS not end-to-end encrypted like iMessage, but it turns out that it’s also a nightmare when it comes to other user data security and privacy practices.
Researchers from SRLabs explained to Motherboard that the first RCS implementations lack uniformity when it comes to security measures. User data is at risk of being compromised, as RCS can be exploited in some markets to reveal the contents of text messages and calls, or pinpoint the location of the user.
The problem isn’t with the RCS standard, but the way it’s implemented by mobile operators. RCS is meant to offer the same rich texting experience as iMessage, and should become a default app on Android handsets. Apple hasn’t announced support for RCS at this time. Google, meanwhile, is pushing its own version of RCS.
“Everybody seems to get it wrong right now, but in different ways,” security research Karsten Nohl told the blog. “We find that is actually a step backwards for a lot of networks.”
Apparently, some carriers identify users by their IP address, and that’s how they provide the corresponding configuration file. But Nohl explains that “any app that you install on your phone, even if you give it no permissions whatsoever, it can request this file. So now every app can get your username and password to all your text messages and all your voice calls.” And “that’s unexpected,” according to the researcher.
Similarly disturbing is a different error where a carrier sends a text message with a six-digit code to verify the RCS user, but there are no entry limits, which means the security code can be hacked via brute force attacks. “One million attempts takes five minutes,” the researcher explained, and that’s how long an attacker would need to get access to a target’s RCS profile.
The good news is that the GSMA and the carriers are aware of these issues, and fixes are probably on the way. The researchers will further explain their RCS findings at the Black Hat Europe conference next December.
However, that doesn’t change the fact that RCS is now enabled by as many as 100 mobile operators, including several in Europe and the US. And, since SRLabs didn’t disclose the names of the carriers whose RCS implementations aren’t secure, some of these vulnerabilities might be exploited by malicious actors. The report, however, provides no evidence of any such activities for the time being.