Some trivial gaping flaws in SMS communication infrastructure can allow for a complete takeover of target phone numbers. Executing these attacks is easy and requires no technical background. The attacker can achieve it all for just $16.
Takeover Phone Numbers Via SMS
Despite being old, SMS is still in common use globally, even for security purposes, such as sending 2FA codes. That’s because people think of SMS as more secure as this technology remains separate from the internet. However, researchers have explained how this technology seamlessly allows an adversary for the target phone number takeover via SMS.
As Motherboard’s Joseph Cox explained in a recent post, a hacker with alias Lucky225 demonstrated this attack whilst targeting Cox’s number.
Briefly, this attack is different from well-known attacks such as SIM swapping, SS7 attacks, and port-out frauds. This one is a pretty simple attack strategy involving Sakari – a firm offering SMS marketing facilities to businesses.
All it takes for an adversary is to sign-up with Sakari that costs $16 and provide details for the Letter of Authorization which shows that the signing party is authorized to switch numbers. Sakari then allows the user to reroute SMS messages by switching phone numbers.
Apparently, this procedure involves no further check at any end about whether a user enters its own numbers or not. Thus, it becomes possible for an adversary to reroute a target phone number’s SMS messages to its own account.
Once done, the attacker can then take over all other accounts, such as social media and bank accounts, associated with this number, as the attacker would receive all SMs 2FA codes directly.
The entire attack executes without the victim knowing. At the victim’s end, the SIM will look perfectly normal and connected to the network.
How The Attack Executes
Anyone interested in knowing the technical details of this attack can read the post by Lucky225. In it, he has explained how this attack becomes possible by exploiting NetNumber – a global unique naming convention for service providers.
Briefly, while this service assigns unique NetNumber IDs (NNIDs) to service providers for identification, swapping these IDs is also possible. And, this procedure involves no authentication by the SMS number owner. Thus, it becomes possible for an adversary to hijack a phone number without giving a hint to the victim.
For now, it seems that these attacks haven’t happened in the wild yet. However, no one can confirm this claim with surety.