Most people like to think of text messages as private communication, but they inherently involve data leaving one device and journeying to another via the cell phone networks. That process leaves plenty of opportunities where somebody could attempt to intercept and read text messages. The good news is that the ways of doing so are usually too expensive or troublesome to make it worth a hacker's while unless he is specifically targeting somebody.
A hacking technique unveiled in July 2013 may have the biggest potential group of victims. Security researcher Karsten Nohl said he had found a flaw in the operation of SIM cards, used on many phones to identify the phone owner's account to the cell phone networks. He discovered that in around one in four cases, sending a bogus message claiming to be from the network would cause a phone to send back an error message text. This error message contained an authentication code for the phone that, although encrypted, was relatively easy to crack with modern computing power. The code then allowed the hacker to remotely install malicious software on the phone.
Man in the Middle
A "man in the middle" attack is where the hacker is able to reroute text messages so that they can be read in transit, without the sender or recipient being aware of it. One way of doing this is to send a text message appearing to come from the network, asking the user to click or tap to approve changes to the phone's settings but in fact sets the phone to redirect messages. Another tactic is using a femtocell, which is designed to act as a miniature cell phone tower. Femtocells are usually for legitimate purposes, such as relaying a cell phone signal through a fixed-line broadband connection in places with poor wireless reception. A hacker could have the femtocell pose as a genuine cell phone tower and thus get direct access to texts sent in the nearby area, though this would have to be a physically targeted attack.
In 2012 a hacker revealed that a technical error in the way iPhones handle text messages means it could be possible to send a message with a bogus "reply to" number while hiding the sender's true number. A criminal could exploit this by posing as a bank or other trusted facility and asking the phone user to reply with personal information. The reply would go direct to the criminal.
Phone users can take several steps that can reduce text hacking. Regularly updating phones with the latest edition of an operating system and installing any security updates from manufacturers or networks can help. Firms often issue security fixes after a new loophole or exploit is discovered. It's also important to be wary about clicking or tapping on a link in a text message, particularly if the sender is unfamiliar or the message content looks suspicious. Although such steps can mitigate risk, some information such as bank details may be too sensitive to send via text message at all.
- Photo Credit Visage/Stockbyte/Getty Images