Blog post: SMS insecurity

Some informative points:


I first decided to pass on commenting this because the opinion piece, while generally true, boils down to “SMS is postcard”. Email is that too. There are good reasons why general mundane communications should and has to be open. Or rather, the problems of encrypting everything and getting that as a global standard that is idiot proof seems unlikely and a waste. To me, in that scale, it is still better to have selected (risk profiled) comms secure. I think part of idea behind the blog is the increasing use of SMS to convey weak 2FA in open message (unlike onetimepad method), which is a different problem - fixing the whole SMS to fix that seems overkill.

On another tangent though, and why this got my attention, is a new thing from Brussels that could lead to SMS being compatible with the likes of WA, Signal and Telegram: the Digital Markets Act. In a surprising new version, there is language in there that calls for these different huge (there is a size limit) services to be compatible, so that users may connect to each other and not be locked in to one message ecosystem. The good: APIs would have to open. The weird: someone might (however unlikely) connect SMS to these too. The possibly bad: I’s expect weakening security and privacy - although this might have the potential to become more secure that SMS an (almost) as universal. Probably other things too. Remains to be seen what the final version will be and will Brussels effect (thru legislation MAMA creates somethin to comply to EU and offers that same the globally too) work here.

(sorry if this goes too far left field - might be more a “general sec and privacy” category news)
(edit: I seem to have wasted a good clickbait aprilfools joke opportunity, as I could have worded that so it made it seem it was a sure thing every messanger network will be connected and SMS will get encryption :smile:)

I strongly disagree. It is nobody’s business (other then the recipient) to read my letters. Encryption and decryption use negligible amount of resources. I also do not need a global standard for encryption. I just need to be free to encrypt as I wish - which is being threatened by governments under any pretense they can get.

Ah, there you mix separate points. I agree, that none should read and none should be able to read. World should work in a manner that encryption is not needed (in most communications). Encryption should also be possible and more used, is also a given. But - as it is now - most are not able to use secure comms and making them available has huge consequences. It would be nice but I doubt it will happen soon… And that is why the EU announcement was surprising because it might actually start that change (with some unknown aspects).

Fixed. I must have classified it as “Librem 5” by accident. Thanks.

Nevertheless that could be the implication of a requirement for message services to interoperate, combined with a user requirement for end-to-end encryption.

A single, global, mandated encryption algorithm is a weak-point but a proliferation of proprietary and/or unique choices of encryption algorithm makes interoperation difficult to impossible, and is one of the reasons why encrypted communication is difficult to set up.

I suppose the specification could be as vague as saying something like that it must use TLS but that then leaves it open as to precisely which algorithms get negotiated internally.

Still, SMS is just a datagram. There’s nothing stopping you and the party with whom you want to communicate layering whatever end-to-end encryption you want over the top of the SMS, no matter how SMS is implemented.

It may make more sense for SMS to be excluded from that.

I have my doubts that SMS can be compatible while still being SMS. In other words, if the SMS standard is upgraded enough to support interoperation with messaging services then SMS may no longer be compatible with … SMS.

So, if I have the latest phone, with the latest software, I can send an SMS to someone who is using a messaging service but … I can no longer send an SMS to someone who only has the traditional SMS functionality (assuming that I don’t have prior knowledge of the recipient’s capability).

Another way to approach that problem would be … SMS stays exactly as it is but MMS is upgraded to support enough functionality to interoperate with messaging services.

For a store-and-forward mechanism (like email and SMS) there are two separate security questions:

  1. Is it secure as it travels over each hop?
  2. Is it end-to-end secure?

If Brussels wants to meddle then a better answer might be: mandate open 2FA like TOTP or HOTP.

Then you don’t need to install some service provider’s crappy app in order to get 2FA. You can just install one open source app and it will do every service provider - and do it with a basic minimum level of security.

This of course implies making it illegal to use SMS for 2FA (longer term). Then, as you imply, noone needs to worry that SMS is insecure, at least as far as 2FA goes.

1 Like

Ay, SMS isn’t intended to be compatible (if I understood correctly). It was, what I think, behind the the blog post, about that maybe something should replace it. I anycase, I cant see anything replacing SMS - old tech doesn’t really ever die - just something new by its side.

And if it’s about 2FA, the adoption of some open HOTP/TOTP/mix tech would be good - any service could use them already without Brussels. Having the legislation require open login services to be used to gain entry to this one mega-network would be good.

But the service doesn’t necessarily have an incentive to do so and has an incentive not to do so.

As a counterpoint to this kind of regulatory change, I currently use an RSA key for 2FA login to internet banking - and this is most likely more secure than any app running on a mobile phone, whether the app is open or not, whether the phone is open or not. If the law required open 2FA like TOTP or HOTP then I might have to stop using my RSA key. I don’t think that would be a step forward. I think this illustrates the dangers and problems with the regulatory authorities getting too involved in picking technologies.

1 Like