Pixel Envy

Written by Nick Heer.

It Is Trivial to Reroute Text Messages Given the Design of the SMS System

Joseph Cox, Vice:

Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.

This is not a SIM swapping attack. It uses a bulk SMS service — in this case, from Sakari — to reroute messages from a target phone. It is wild how trivial this is.

This paragraph made me chuckle a bit:

In Sakari’s case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari’s LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.

One of the great miracles of the economy we participate in is the extent to which no entity feels responsible or liable for anything. Everything that goes right is marketed as a success by everyone in the chain; anything that goes wrong is somebody else’s problem. Nobody goes to jail and nobody has to pay a fine.

Nice work if you can get it.

To its credit, Sakari did make some changes to improve its consent policies. But that is just one company and, anyway, it is bananas that this was possible in the first place.