Ireland’s efforts to keep residents informed about coronavirus has fallen foul of the same basic SMS vulnerability that one of their British neighbours experienced back in March.
Lulzsec-bod-turned-security-consultant Jake Davis reckoned the Irish government is using an SMS sender name that is vulnerable to spoofing – a process that is simple and straightforward, not that we’re going to explain how it’s done.
Anyone flying to the Emerald Isle must give their contact details to immigration staff, including a mobile phone number. That number is then sent a text from “gov ie” with details of how to call a doctor and get public health advice if one starts experiencing COVID-19 symptoms. “Fairly standard and responsible stuff,” commented Davis.
What was not “standard and responsible”, in his view, was Ireland’s mobile networks not blocking the sender name from being reused by anyone else at all. As he related it: “Now, when Darren [Martyn, a fellow infosec researcher] said to me ‘hang on, can you try sending me a cheeky spoofed text from this sender?’ my immediate thought was that there’s no way this will work using basic SMS tricks.”
This was the result:
One of these two messages was sent by the Irish government, though both appear to come from the same sender
Earlier this year the British government briefly flirted with doing the same thing, with Davis blogging at the time (as we reported) that this was a “schoolyard” level of exploit.
In Ireland’s case, Davis warned the local authorities before disclosing his findings to El Reg and the wider world via his blog.
Contact-tracer spoofing is already happening – and it’s dangerously simple to do
Calling for authorities in the UK to invest in mass-message cell broadcast technology (“It’s faster, cheaper, and reaches 99 per cent of phones in a secure and reliable fashion”), Davis also urged governments in general to “liaise with known SMS API providers and local mobile carriers beforehand to make them aware of which names/numbers they’ll be sending important texts from” and block those sender names and numbers from being used by others.
It may surprise some readers to learn that this is not done by default – which is why unscrupulous telemarketing scammers can appear to be calling from phone numbers not actually assigned to them.
As we reported in March when UK.gov’s first mass-text-messaging campaign began, SMS cell broadcast was trialled in the early 2010s but initial promising trials faltered with no further progress since 2014 [PDF].
Standard anti-phishing advice is not to click links or dial numbers included in unsolicited messages, advice that still stands today despite the desperation of UK government and the NHS to broadcast public health messages using these very techniques. ®
READ MORE HERE