In 2019, Google and several mobile operators started implementing a new communication technology, Rich Communication Services (RCS) [1]. RCS replaced traditional calling and SMS, serving as their replacement in the communication landscape.
The technology included also new messaging possibilities and features. So, the idea was to make native text more competitive to popular digital alternatives like WhatsApp and iMessage.
RCS is based on internet protocols like SIP and HTTP to implement group chats, video calls, file transfers and more. In 2019 SRLabs’ researchers conducted a worldwide survey to estimate security risks in active RCS deployments.
Key findings on RCS security
- The provisioning process for activating RCS functionality on a phone is badly protected in many networks, allowing hackers to fully take over user accounts by stealing RCS configuration files that include SIP and HTTP credentials
- Andorid Messages, the most popular RCS client, does not implement sufficient domain and certificate validation, enabling hackers to use DNS spoofing to intercept and manipulate communication
- Some RCS core nodes do not effectively validate the user identity, allowing caller ID spoofing and fraud through SIP message injection
- VoWiFi-enabled smartphones expose users to new WiFi-based IMSI catcher
How popular is RCS?
In June 2019, Google officially announced their plans to release RCS on all Android phones starting with trials in the UK and France. Then, in November 2019, RCS was rolled out to all Android smartphones in the US, and operators in other countries were running trials. As of 2022 there is no exact data how wide-spread RCS is, but as it is natively integrated in all Android Smartphones around 70 % off all smartphone users own at least one RCS capable device.
Additionally, in 2019 SRLabs conducted an internet survey using DNS queries directed to RCS specific domains, confirming the presence of its servers in many countries.
How secure is RCS?
After the international release, SRLabs researchers found a range of vulnerabilities that allowed different hacking attacks against some deployments. Although, not all vulnerabilities applied to all networks.
The issues included:
- User Tracking
- Impersonating Users
- Conducting Fraud
- Website DDoS
- Intercepting texts
Criminals achieve impersonation, fraud, and user tracking without sophisticated equipment or extra target information. Therefore, attackers intercept SMS-based One-Time-Password (OTP) codes locally and remotely, depending on network configuration. So, they attempt fraudulent bank transactions or take over email accounts by doing so.
The detected issues made RCS deployments as vulnerable to hacking as legacy mobile technologies, such as 2G and SS7, according to the SRLabs experts.
For example, a local Man-In-The-Middle (MITM) attack allowed hackers to intercept and manipulate all user communications. The underlying issue was that the RCS client, including the official Android messaging app, did not properly validate that the server identity matches the identity provided by the network during the provisioning phase. Therefore, DNS spoofing can abuse this issue, enabling hackers to be in the middle of the encrypted connection between the mobile and the RCS network core.
This video by SRLabs demonstrates how RCS allowed hackers to impersonate subscribers by spoofing their IP address:
This video demonstrates a MITM attack, in which messages intercepted and modified:
A demo video showing how a user’s config file can be stolen can be found here:
These vulnerabilities can allow attackers to intercept OTPs that can be used to take control of critical accounts:
Can these attacks be mitigated?
Research by: Sina Yazdanmehr (@SinaYazdanmehr), Luca Melette, and Lukas Euler
References
[1] https://www.gsma.com/futurenetworks/rcs/
[2] https://www.blackhat.com/eu-19/briefings/schedule/index.html#mobile-network-hacking-ip-edition-17617