RobocallScience

Research to restore trust in telephones



Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways

IEEE Symposium on Security and Privacy

Bradley Reaves, Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, and Kevin R. B. Butler

Summary:

This research paper studies nearly 400,000 text messages sent to public online SMS gateways over the course of 14 months. We see services sending extremely sensitive plaintext data, services, implementing low entropy solutions for one-use codes, measure the prevalence of SMS spam, and show that public gateways are primarily used for evading account creation policies that require verified phone numbers.

Abstract

Text messages sent via the Short Message Service (SMS) have revolutionized interpersonal communication. Recent years have also seen this service become a critical component of the security infrastructure, assisting with tasks including identity verification and second-factor authentication. At the same time, this messaging infrastructure has become dramatically more open and connected to public networks than ever before. However, the implications of this openness, the security practices of benign services, and the malicious misuse of this ecosystem are not well understood. In this paper, we provide the first longitudinal study to answer these questions, analyzing nearly 400,000 text messages sent to public online SMS gateways over the course of 14 months. From this data, we are able to identify not only a range of services sending extremely sensitive plaintext data and implementing low entropy solutions for one-use codes, but also offer insights into the prevalence of SMS spam and behaviors indicating that public gateways are primarily used for evading account creation policies that require verified phone numbers. This latter finding has significant implications for research combatting phone-verified account fraud and demonstrates that such evasion will continue to be difficult to detect and prevent.