London Bridge attack: ‘Everyday heroes’ praised
November 29, 2019
iHealth’s infrared thermometer and smartphone-connected blood pressure cuff are down to their best prices
November 29, 2019

Google’s RCS messaging could rival iMessage, but for now it’s a security nightmare

iMessage is one of the best platforms that Apple ever made -- an SMS replacement that might do more for keeping iPhone users loyal to iOS than any other app. It works across devices (iPhone, iPad, and Mac), it’s encrypted, and it seamlessly handles the transition between regular texting and the rich instant messaging experience we all want. Best of all, carriers have no say in or control over iMessage. This brings us to Android, where Google has tried and failed for years to find a decent iMessage alternative. The best chance of that ever coming to pass is RCS (Rich Communication Services), which Google and carriers want to use instead of SMS. Unfortunately, not only is RCS not end-to-end encrypted like iMessage, but it turns out that it’s also a nightmare when it comes to other user data security and privacy practices. Researchers from SRLabs explained to Motherboard that the first RCS implementations lack uniformity when it comes to security measures. User data is at risk of being compromised, as RCS can be exploited in some markets to reveal the contents of text messages and calls, or pinpoint the location of the user. The problem isn’t with the RCS standard, but the way it’s implemented by mobile operators. RCS is meant to offer the same rich texting experience as iMessage, and should become a default app on Android handsets. Apple hasn't announced support for RCS at this time. Google, meanwhile, is pushing its own version of RCS. "Everybody seems to get it wrong right now, but in different ways," security research Karsten Nohl told the blog. "We find that is actually a step backwards for a lot of networks." Apparently, some carriers identify users by their IP address, and that’s how they provide the corresponding configuration file. But Nohl explains that “any app that you install on your phone, even if you give it no permissions whatsoever, it can request this file. So now every app can get your username and password to all your text messages and all your voice calls." And "that's unexpected," according to the researcher. Similarly disturbing is a different error where a carrier sends a text message with a six-digit code to verify the RCS user, but there are no entry limits, which means the security code can be hacked via brute force attacks. "One million attempts takes five minutes," the researcher explained, and that’s how long an attacker would need to get access to a target’s RCS profile. The good news is that the GSMA and the carriers are aware of these issues, and fixes are probably on the way. The researchers will further explain their RCS findings at the Black Hat Europe conference next December. However, that doesn’t change the fact that RCS is now enabled by as many as 100 mobile operators, including several in Europe and the US. And, since SRLabs didn’t disclose the names of the carriers whose RCS implementations aren’t secure, some of these vulnerabilities might be exploited by malicious actors. The report, however, provides no evidence of any such activities for the time being.

RCS vs. iMessage

iMessage is one of the best platforms that Apple ever made -- an SMS replacement that might do more for keeping iPhone users loyal to iOS than any other app. It works across devices (iPhone, iPad, and Mac), it’s encrypted, and it seamlessly handles the transition between regular texting and the rich instant messaging experience we all want. Best of all, carriers have no say in or control over iMessage.

This brings us to Android, where Google has tried and failed for years to find a decent iMessage alternative. The best chance of that ever coming to pass is RCS (Rich Communication Services), which Google and carriers want to use instead of SMS. Unfortunately, not only is RCS not end-to-end encrypted like iMessage, but it turns out that it’s also a nightmare when it comes to other user data security and privacy practices.

Continue reading...

BGR Top Deals:

  1. AirPods are so cheap right now on Amazon, it almost seems like a mistake
  2. A Black Friday 2019 deal like no other: Free money from Amazon

Trending Right Now:

  1. Walmart just announced its big Cyber Monday sale – here’s everything you need to know
  2. Report says iPhone 12 will help Apple do something huge that it hasn’t done in years
  3. Huge leak reveals the plot for the biggest Marvel movie coming in MCU Phase 4

Google’s RCS messaging could rival iMessage, but for now it’s a security nightmare originally appeared on BGR.com on Fri, 29 Nov 2019 at 15:37:12 EDT. Please see our terms for use of feeds.

Article by [author-name] (c) BGR - Read full story here.

Comments are closed.