Security Vulnerabilities in the RCS Texting Protocol
SRLabs founder Karsten Nohl, a researcher with a track record of exposing security flaws in telephony systems, argues that RCS is in many ways no better than SS7, the decades-old phone system carriers still used for calling and texting, which has long been known to be vulnerable to interception and spoofing attacks. While using end-to-end encrypted internet-based tools like iMessage and WhatsApp obviates many of those of SS7 issues, Nohl says that flawed implementations of RCS make it not much safer than the SMS system it hopes to replace.
I think this shows the difference between the US and Europe and Asia. In the US, this seems to be a big thing.
Over here, people are looking at it and going “huh?”
99.9% of the SMS that I get these days are 1-time passwords for registering with new online services or recovering accounts - if I can’t stop them. I think I have had 4 SMS this year, 3 of which were codes from Internet services sending a verify codes on initial account creation.
Everybody I know uses Signal, Telegram or WhatsApp.
It probably needs a bigger sample size than we have here to determine a consistent pattern. For me, the experience has been the opposite: all my friends communicate via SMS and none of them has asked if I’m available on an alternate messaging service. And in the last month I’ve had SMS messages from the doctor, dentist, hospital and grocery delivery service, so my SMS traffic is quite busy. Knowing the limited appetite for change in those organisations I expect they’ll still be using SMS until the client in whatever device they’re using includes RCS.
Correction: some of my friends are probably on iPhones so are using a rich service anyway, but the effect is the same: they’re happily talking SMS to me.
Over here, it is pretty much unheard of for businesses to send SMS. A few do, but I don’t know of any around here that do.
I think part of it is also that over here iPhone has so little market share that iPhone users pretty much have to use what their friends on Android are using, otherwise they miss out.
The good thing about the Apple messaging app is the users don’t have to think about what the destination device is: they just enter the contact details and the app identifies which ones are iDevices, and which not, and sends the appropriate message format.
I don’t get it. Do they not send messages at all? The reason we use SMS here is because it’s universal. How do you know what messaging service the customer is using?
It seems to me that until there’s a universal system that everyone uses, SMS is going to dominate in the states. I get it that economic factors (e.g. the cost of SMS from the carriers) was what propelled WhatsApp to dominance in countries like Brazil.
But without those economic incentives in the US, the non-SMS messaging choices are just too fragmented. And I refuse to use anything Facebook owns!
I’d be thrilled if everyone I knew used Signal or Telegram but that’s just not the case. And I can’t think of any reason that would happen in the foreseeable future.
Here in Guam we have three carriers. Two are owned by US companies (ATT and Verizon I’m pretty sure) and one is owned by a US company and Korea Telecom.
We have SMS only and NO MMS. Meaning if you are texting a Guam number it’s free but you cannot send a picture, recording or any Multimedia at all. It’s also something outrageous like $.25 a text to any stateside number.
Therefore everyone uses WhatsApp here, and you have to pay extra to get free calls to the states even though we are a +1 country code like everyone else. Also 2 factor SMS rarely works for us, making it very difficult sometimes (like w C1) when dealing with companies that only offer SMS 2FA.
Anyway. RCS is still not enabled on my phone. This would solve a whole slew of problems listed above. I don’t understand why the carriers are jumping at this and making a huge marketing push here. It would be a game changer…“YOU CAN FINALLY TEXT YOUR FAMILY BACK HOME! SEND PICTURES TO YOUR FRIENDS!” it would be a miracle lol
I’ve tweeted the carriers but they ignore me. Guam is weird like that.
You can sign up for newsletters and alerts on Telegram (used to be WhatsApp, but because of its GDPR status, most are switching over to Telegram).
But, in general, no, I don’t get messages from any business, either SMS or on a messaging app. At most I get emails or letters in the post. If I can avoid it, I don’t give any business my contact information.
I generally use Signal, but the daughters and my wife have to use Telegram for work (switched from WhatsApp last year, once GDPR came into effect, so she could finally dump it).
At home I use a Pi-Hole and over 2,000 Facebook domains are blacklisted (along with another 2.5 million tracking and malware domains).
I’m probably the odd outlier here. I use iMessage for all my iphone peeps. Those I know are on android I message on messenger. Mainly because I prefer the rich value on texting. Have the read it. Has it been delivered Being in a rural area often times that is the case it just hasn’t reach their device because they are in a no signal area.
I would be thrilled to use Telegram for everything. I don’t consider its “roll-your-own crypto” totally secure but as Steve says its good enough. And I love Telegram’s feature set. But no one I know uses it.
I wouldn’t mind using RCS. but on two different phones (a Rubinesque Essential running 10 & a $150 Chinese phone running 9) the latest update made it so I can’t see names on contacts using short codes. I had to remove updates to figure out who was texting me.
Hi There, I live in the UK, but am originally from Greece, so I have two numbers and two phones, an iPhone and a Moto G6+ switching recently from full Android.
99% of my friends are Android users, so I am very interested in RCS. I did a little investigation and discovered that one of the incentives presented by Vodafone to their corporate clients was that they can do rich media marketing.
Indeed, I managed to get my Greek number activated with RCS and now every time I turn my phone on while living in the UK, I get an RCS message from Vodafone GR themselves, which contains rich media, video etc.
I think it is nice, and it would be quite useful for the companies to have one main rich channel of communication with their customers. I have had to use Facebook Messenger to communicate with a couple of companies recently for customer service. It was quite useful I was able to resolve my issue in minutes. I am pretty sure that if/when RCS becomes widely adopted and people/companies are aware about its features it will be used as unified platform for customer service and marketing.
That is a big difference here, people generally don’t want to be bothered by customer services. They’ll go to the shop or they’ll correspond with email, but not with SMS or another messaging platform.
That is how Vodafone is promoting it, as a Promotion omni channel. I think there is an additional incentive for the carriers to support it as it a rich source of data. They can mine everything and it will be a lot more valuable source than sms because of the restricted nature sms had.
As a customer I Think we will need strong anti spam protection.
Security Vulnerabilities in the RCS Texting Protocol 