T-Mobile, Verizon, AT&T Stop SMS Hijacks After Motherboard Investigation

All of the major carriers made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target's texts, according to an announcement from Aerialink, a communications company that helps route text messages. The move comes after a Motherboard investigation in which a hacker, with minimal effort, paid $16 to reroute our text messages and then used that ability to break into a number of online accounts, including Postmates, WhatsApp, and Bumble, exposing a gaping hole in the country's telecommunications infrastructure.

"The Number Registry has announced that wireless carriers will no longer be supporting SMS or MMS text enabling on their respective wireless numbers," the March 25 announcement from Aerialink, reads. The announcement adds that the change is "industry-wide" and "affects all SMS providers in the mobile ecosystem."

"Be aware that Verizon, T-Mobile and AT&T have reclaimed overwritten text-enabled wireless numbers industry-wide. As a result, any Verizon, T-Mobile or AT&T wireless numbers which had been text-enabled as BYON no longer route messaging traffic through the Aerialink Gateway," the announcement adds, referring to Bring Your Own Number.

T-Mobile, Verizon, and AT&T did not immediately respond to a request for comment. Neither did the Federal Communications Commission (FCC) nor the CTIA, a trade body for the carriers.

Last week, Motherboard published an investigation in which pseudonymous hacker Lucky225 paid a small sum of money to a company called Sakari to demonstrate the issue, which had not previously been reported in detail. Sakari is a firm that helps businesses with SMS marketing and mass messaging. As part of that, Sakari had gained the ability to reroute text messages from another company called Bandwidth, which in turn obtained it from another called NetNumber.

When entering the respective phone number, Lucky225 was asked to sign a document essentially pinky-swearing he had authority to reroute the messages, but there was no technical mitigation in place to ensure the target had provided consent.

"Welcome to create an account if you want to mess with it, literally anyone can sign up," Lucky225, who is Chief Information Officer at cybersecurity firm Okey Systems, said at the time.

A few minutes after entering Motherboard's phone number, Lucky225 started receiving text messages originally meant for our phone. From here, he logged into various services that used SMS as a login or authentication mechanism.

"It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack at the time.

After Motherboard originally contacted Sakari for comment, Adam Horsman, co-founder of the company, said Sakari had introduced a security feature where an entered number will receive an automated call to ensure that the number owner consents to the message rerouting. Now, with the carriers cutting off enabling of text messages on mobile numbers, the wider ecosystem of business text messaging companies are likely unable to perform the service at all.

Horsman told Motherboard in a statement on Thursday that "We welcome this news and hope the rest of the industry follows suit. It has always been our policy at Sakari to only support the text-enablement of VoIP and landline phone numbers, and as soon as the industry issue was raised we placed a complete block on any mobile numbers.  As part of our internal audit, other than Lucky225’s account, we found no other mobile numbers enabled." Another company included in Motherboard's investigation said it recently saw suspicious activity on another of its accounts.

Clarification: In between the original investigation and this article, Lucky225’s position at Okey Systems has changed from Director of Information to Chief Information Officer. The piece has been updated to reflect that.

Subscribe to our cybersecurity podcast CYBER, here.