T-Mobile AT&T Verizon Sprint Android Google

RCS vulnerabilities can help a hacker take control of your bank account

by Alan Friedman / Nov 29, 2019, 10:09 PM

RCS vulnerabilities can help a hacker take control of your bank account

Rich Communication Service, or RCS, is the next generation in wireless messaging. Unlike SMS/Text, which uses a wireless operator's cellular connection, RCS runs through a carrier's data network. This allows messages to be sent over Wi-Fi when possible. It also will lead to an increase in the number of characters allowed per message to 8,000 from the 160 cap that text has. In addition, RCS issues "read receipts" so that users know when their message has been read by the recipient. And when someone is typing a response to an RCS dispatch, a three-dot indicator will let a user know that an incoming message is being composed. Group messages with up to 100 participants can take place, and larger files containing images and videos can be shared.

The U.S. wireless carriers have big plans for the platform. All four major U.S. carriers have formed the Cross Carrier Messaging Initiative (CCMI) and are planning to deliver an RCS based messaging app next year to their Android toting customers. The wireless operators are planning to monetize RCS by allowing users to purchase tickets, visit their favorite brands, and even buy products without leaving the messaging app. Meanwhile, as it did in the U.K. and France earlier this year when it pulled an end-run around the carriers by releasing an RCS messaging app, Google recently started rolling out RCS Chat to all Android phones in the states. Those receiving it have to select the Android Messages app set as their default messaging platform.

Hackers using vulnerabilities found on RCS can steal one time passwords and make changes to users' online accounts

But there does seem to be a dark side to RCS as discovered by Germany (SRLabs). The security firm says that the process of getting Android handsets ready for RCS leaves the platform wide open to be hacked and that there is very little protection for users. Attackers can take over user accounts, and the most widely used RCS Client at the moment (the aforementioned Android Messages app) does not do enough validation of domains, certificates, and user identity. As a result, hackers can spoof a domain name and even allow caller ID spoofing and fraud.

Some of the attacks that hackers can do through the RCS vulnerabilities

SRLabs found that through RCS, hackers can track users and verify if they are online. Spoofing caller ID, the hackers can pretend to be someone else. The vulnerabilities in the platform can allow a bad actor to hijack a one-time password sent by SMS; this could allow an unauthorized bank transaction to be approved, or help transfer the control of an account to a hacker. The report notes that "The underlying issue is that the RCS client, including the official Android messaging app, does not properly validate that the server identity matches the one provided by the network during the provisioning phase. This fact can be abused through DNS spoofing, enabling a hacker to be in the middle of the encrypted connection between mobile and RCS network core."

RCS attacks can be mitigated by using these best practices

SRLabs says that the vulnerabilities can be corrected. Some of the suggestions include the use of "strong" one time password codes, and employing information from a user's SIM card to authenticate the user. The RCS client being employed (for example, the Android Messages app) should connect only to trusted domains and validate certificates.

If RCS is going to live up to its potential, the vulnerabilities need to be patched. And that is especially true if the carriers plan on monetizing it. Consumers are going to want to use a messaging app that they can trust and at this point, it isn't clear that RCS can be fully trusted.

Options

14 Comments

1. RevolutionA

Posts: 481; Member since: Sep 30, 2017

It's still not late for iMessage. Wake up people

posted on Nov 29, 2019, 10:36 PM 0

3. nikhil23

Posts: 500; Member since: Dec 07, 2016

EVery system and software out there is vulnerable. As you add more features into the system, You create more loopholes in it. Imessage is nothing special. Wake up!https://www.google.com/amp/s/www.wired.com/story/imessage-interactionless-hacks-google-project-zero/amp

posted on Nov 30, 2019, 12:20 AM 5

6. ahmadkun

Posts: 664; Member since: May 02, 2016

iMessage is great but mostly in US people want something let them chat with anyone using any OS .. like WhatsApp or Telegram .. cross-platforms and no limitation

posted on Nov 30, 2019, 3:26 AM 3

17. Jcrosby454

Posts: 6; Member since: Mar 25, 2019

Agree. But good luck... no iPhone user is going to download whatsapp

posted on Nov 30, 2019, 10:11 PM 0

2. perry1234

Posts: 654; Member since: Aug 14, 2012

What is so special about RCS? Genuinely curious. Isn't iMessage doing all the of the RCS stuff already, since ages?

posted on Nov 29, 2019, 10:58 PM 1

4. BL4NKF4CE

Posts: 151; Member since: Aug 06, 2017

RCS is going to become the new standard. It's going to replace SMS eventually. So basically, iMessage for everyone all the time. No matter what phone you use.

posted on Nov 30, 2019, 12:38 AM 1

5. yalokiy

Posts: 1113; Member since: Aug 01, 2016

It's better than sms, but still much worse than imessage. RCS is just a waste of time, the tech is DOA. It doesn't have end to end encryption so the carriers can track the user all the time (as can be seen by the features..ahm, "vulnerabilities" listed in the article). It makes no sense when there are apps like telegram, signal, wire, threema, etc.

posted on Nov 30, 2019, 2:24 AM 1

15. BL4NKF4CE

So you're saying updates can't happen to the technology to make it more secure? Remember when WhatsApp came out first, it isn't have end to end encryption either. iMessage didn't either. Its definitely something that WILL be added in. And wouldn't it be nice if people didn't have to download an app? That's the goal. A universal chat that people don't need to download an app for.

posted on Nov 30, 2019, 7:25 AM 2

24. yalokiy

It's 10 years late. Maybe if it started at the same time as imessage it had a chance. Today, even if they fix all the vulnerabilities and add proper encryption (which I highly doubt they ever will, since they want to keep tracking all the users as they do with sms), it will be just another preinstalled app that most people are not going to use. Regarding downloading an app, isn't that why we buy smartphones for?

posted on Dec 01, 2019, 5:30 AM 0

25. BL4NKF4CE

So, you're saying you don't regular SMS anyone? Everyone you talk to has whatsapp, telegram, signal, etc? The point of RCS is to completely remove SMS. So everyone's regular SMS app that comes on every phone no matter what will be capable of RCS eventually. I personally find it irritating that I have 4 people on Signal, 17 on Telegram, a lot on Whatsapp, and the rest regular SMS. I'd rather have all my messages going to one place.

posted on Dec 01, 2019, 4:23 PM 0

26. yalokiy

I don't sms and rarely call via phone app. Change to RCS won't happen, people will continue to stick to an app they got used to after many years. And I highly doubt RCS will catch up quickly in functionality to match Signal or Telegram.

posted on 16 hours ago 0

10. GodKnowsAll

Posts: 30; Member since: Oct 12, 2012

Here goes your

posted on Nov 30, 2019, 5:28 AM 0

22. Jcrosby454

..... Beloved Google, face-palming the carriers. Yessss...

posted on Nov 30, 2019, 10:32 PM 0

19. Jcrosby454

I'm glad Google expedited the rollout before the carriers. It will have encryption soon enough. The problem is that many of us will still be stuck with sms until there is a way to use the technology cross platform. Everyone in my family, and most of my friends have iPhone.