I didn't expect it to be that quick. While I was on a Google Hangouts call with a colleague, the hacker sent me screenshots of my Bumble and Postmates accounts, which he had broken into. Then he showed he had received texts that were meant for me that he had intercepted. Later he took over my WhatsApp account, too, and texted a friend pretending to be me.
Looking down at my phone, there was no sign it had been hacked. I still had reception; the phone said I was still connected to the T-Mobile network. Nothing was unusual there. But the hacker had swiftly, stealthily, and largely effortlessly redirected my text messages to themselves. And all for just $16.
I hadn't been SIM swapped, where hackers trick or bribe telecom employees to port a target's phone number to their own SIM card. Instead, the hacker used a service by a company called Sakari, which helps businesses do SMS marketing and mass messaging, to reroute my messages to him. This overlooked attack vector shows not only how unregulated commercial SMS tools are but also how there are gaping holes in our telecommunications infrastructure, with a hacker sometimes just having to pinky swear they have the consent of the target.
"Welcome to create an account if you want to mess with it, literally anyone can sign up," Lucky225, the pseudonymous hacker who carried out the attack, told Motherboard, describing how easy it is to gain access to the tools necessary to seize phone numbers.
Fortunately, Lucky225 was taking over my number and breaking into the connected accounts with my permission to demonstrate the flaw. This also doesn't rely on SS7 exploitation, where more sophisticated attackers tap into the telecom industry's backbone to intercept messages on the fly. What Lucky225 did with Sakari is easier to pull off and requires less technical skill or knowledge. Unlike SIM jacking, where a victim loses cell service entirely, my phone seemed normal. Except I never received the messages intended for me, but he did.
Once the hacker is able to reroute a target's text messages, it can then be trivial to hack into other accounts associated with that phone number. In this case, the hacker sent login requests to Bumble, WhatsApp, and Postmates, and easily accessed the accounts.
"I used a prepaid card to buy their $16 per month plan and then after that was done it let me steal numbers just by filling out LOA info with fake info," Lucky225 added, referring to a Letter of Authorization, a document saying that the signer has authority to switch telephone numbers. (Cyber security company Okey Systems, where Lucky225 is Director of Information, has released a tool that companies and consumers can use to detect this attack and other types of phone number takeovers).
The method of attack, which has not been previously reported or demonstrated in detail, has implications for cybercrime, where criminals often take over target's phone numbers in order to harass them, drain their bank account, or otherwise tear through their digital lives. The attack also brings up issues around private, corporate, and national security, where once a hacker gains a foothold on a victim's phone number, they may be able to intercept sensitive information or personal secrets.
"It’s not hard to see the enormous threat to safety and security this kind of attack poses. The FCC must use its authority to force phone companies to secure their networks from hackers. Former Chairman Pai’s approach of industry self-regulation clearly failed," Senator Ron Wyden said in a statement after Motherboard explained the contours of the attack.
"Sakari is a business text messaging service that allows businesses to send SMS reminders, alerts, confirmations and marketing campaigns," the company's website reads.
For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. Sakari streamlines that process by letting business customers import their own number. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses. Some firms say they only allow customers to reroute messages for business landlines or VoIP phones, while others allow mobile numbers too.
Sakari offers a free trial to anyone wishing to see what the company's dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts as, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari's interface, which show a red "+" symbol where users can add a number.
While adding a number, Sakari provides the Letter of Authorization for the user to sign. Sakari's LOA says that the user should not conduct any unlawful, harassing, or inappropriate behaviour with the text messaging service and phone number.
But as Lucky225 showed, a user can just sign up with someone else's number and receive their text messages instead.
Do you work for telecom or one of the other companies mentioned? Do you know anything else about this attack? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
A few minutes after they entered my T-Mobile number into Sakari, Lucky225 started receiving text messages that were meant for me. I received no call or text notification from Sakari asking to confirm that my number would be used by their service. I simply stopped getting texts.
"Hello. This is Lorenzo," my colleague Lorenzo Franceschi-Bicchierai wrote to the number.
"Hi Lorenzo :) - Lucky," the hacker replied.
"As of today, you don't know this happens," Teli Tuketu, the CEO of Okey Systems, told Motherboard in a phone call, referring to how there is no way for the target to immediately know their text messages have been rerouted. "You don't know these attacks happen."
Motherboard also created an account for verification purposes, but Sakari suspended the account after contacted for comment.
It is not clear how much this method of attack is being used in the wild on mobile numbers. Karsten Nohl, a researcher from Security Research Labs who has investigated telecommunications security for years, said he had not seen it before. Tuketu said it "absolutely" is happening.
Ted Blatt, vice president of sales at Text My Main Number, a similar company to Sakari, told Motherboard in an email that "we just recently suspected suspicious activity on one of our accounts and immediately shut it down and reported this activity on our end."
Motherboard created Bumble, Postmates, and WhatsApp accounts in part because of their reliance on SMS as either a signup or login method for user accounts, rather than, say, an email address and password (this is the case for many apps).
Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation said that the demonstrated attack "underscores the importance of moving people off of SMS 2FA and, more broadly, off of 'login with your phone number' solutions."
Neither Bumble nor Postmates responded to a request for comment. WhatsApp does have mitigations in place such as sending users a notification when they are logged out of their device by accessing their account from another. A WhatsApp spokesperson told Motherboard in a statement that “With so many apps relying on SMS codes, it's critical that mobile carriers do more to protect their customers privacy and security. To stay ahead of this problem, WhatsApp has built features that notifies users and their chats when someone registers a new device. In addition, we strongly encourage turning on two factor verification, which protects accounts with a special user-created pin that helps prevent others from using your WhatsApp number."
AT&T, T-Mobile, and Verizon acknowledged requests for comment, but then directed Motherboard to CTIA, a trade association representing the wireless industry. CTIA said in a statement that "After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter."
The "carrier doesn't matter," Lucky225 said, regarding which carriers the attack can work on. "It's basically the wild west."
As for how Sakari has this capability to transfer phone numbers, Nohl from Security Research Labs said "there is no standardized global protocol for forwarding text messages to third parties, so these attacks would rely on individual agreements with telcos or SMS hubs."
In Sakari's case, it receives the capability to control the rerouting of text messages from another firm called Bandwidth, according to a copy of Sakari's LOA obtained by Motherboard. Bandwidth told Motherboard that it helps manage number assignment and traffic routing through its relationship with another company called NetNumber. NetNumber owns and operates the proprietary, centralized database that the industry uses for text message routing, the Override Service Registry (OSR), Bandwidth said.
When asked for comment, NetNumber also pointed Motherboard to the CTIA statement.
The flow of the capability to reroute text messages is similar in some ways to the cell phone location data market, where telecommunications giants such as T-Mobile, AT&T, and Sprint sold access to their customers location data to a series of aggregators, who then in turn resold that access to other companies. And along with that transfer of the location data access, each company also pushed the need to obtain consent down to the company below it, resulting in wide room for abuse. In 2019, Motherboard reported on how we paid a bounty hunter source $300 to gain the location of a phone to demonstrate the issue, with the target phone not receiving any sort of text message or voice call to confirm they had provided consent to be tracked. Verizon introduced its own consent mechanism where it forced at the carrier level a targeted phone to receive a text message to confirm the owner consented to sharing their location data.
That practice of delegating the need to obtain consent to other companies also applies to this latest issue of text messaging routing. In this case, Sakari asked Lucky225 to sign an LOA to confirm they had the authority to take control of Motherboard's phone number, but at the time Sakari did not send any sort of message to the target number to confirm whether the user consented to the transfer. Bandwidth said it was the responsibility of the retail service provider, which in this case was Sakari, to obtain the consent.
"While text message forwarding might have legitimate applications for businesses, the particular implementation underpinning this attack is appallingly weak in security and data privacy. Telcos have different ways of authenticating their customers, obviously including text messaging. The fact that none of these authentication methods are used in this case to get consent from the owner of a forwarded phone number is shocking," Nohl added.
Adam Horsman, co-founder of Sakari, told Motherboard in an email "Sakari takes privacy and security extremely seriously, and we already go above and beyond industry standards. Our success depends on us being a trusted platform with zero tolerance for fraud or spam," and added that on top of the LOA, Sakari has "a robust process for verification on top of this, including validating each client’s business email address, manual review by a team member whenever an account requests an upgrade to a paid plan, and confirming a genuine payment method."
"We have not seen any previous instances of intentional abuse of text-enablement, and your researcher played the role of a bad actor within a genuine company, which is an unusual vector of attack. But we appreciate you bringing this to our attention, and have updated our hosted messaging process to catch this in the future," he continued. Malicious insiders or customers are a common, established means of attack, whether that is rogue employees or clients abusing the access they've been granted.
Horsman added that, effective immediately, Sakari has added a security feature where a number will receive an automated call that requires the user to send a security code back to the company, to confirm they do have consent to transfer that number. As part of another test, Lucky225 did try to reroute texts for the same number with consent using a different service called Beetexting; the site already required a similar automated phone call to confirm the user's consent. This was in part "to avoid fraud," the automated verification call said when Motherboard received the call. Beetexting did not respond to a request for comment.
Horsman said Sakari will also audit all existing text-enabled numbers "across all Sakari accounts to make sure there are no other instances."
"SMS is a hugely powerful communication medium, and as it continues to dominate the communication landscape, we agree there are improvements needed by the industry—both carriers and resellers—to improve security and trust. Unlike voice, porting messaging privileges is not as regulated and as a result is not standardized for industry participants. For example, it often does not include a final step of the losing carrier review and verification before a port is made. Industry experience has demonstrated that regulation from the FCC on messaging porting would greatly improve the security and effectiveness of the ecosystem," Horsman added.
In a statement, FCC Acting Chairwoman Jessica Rosenworcel said "If true, these reports about newly discovered smartphone vulnerabilities are alarming. Consumers rely on their smartphones for more activities and sensitive data than ever before. We need to better understand this potential vulnerability and make sure we are taking the right steps to protect and educate consumers."
Senator Mark Warner told Motherboard in a statement that "While policymakers have paid considerable attention to the ways in which social media platforms have been exploited by bad actors, relatively little attention has been paid to the ways in which bad actors readily exploit vulnerabilities and broken processes in the wireless sector to further fraud, facilitate cyber-crime, and engage in harassment and abuse. We see over and over again that technologies are not being evaluated for their susceptibility to abuse and exploitation by bad actors. This new report raises serious concerns about the degree to which the wireless industry has prioritized this vector for fraud, abuse, and cyber-crime."
Okey Systems' monitoring tool works by creating a fingerprint of a user's phone number, including the carrier it is connected to and its SMS routes, Tuketu, the company's CEO, said. The company has also sought access to telecoms’ SIM databases, meaning they could monitor for changes there too.
With these observation points, when something changes, either by a hijack like in this attack or a SIM swap, Okey Systems should be able to detect and warn the user by a text message sent to another number or their email address. Tuketu said the company is also adding support for notifications via Telegram, Keybase, and Signal.
"We didn't want to disclose it until we had some solutions to address it," Tuketu said. "We did not want to charge for them, because that just doesn't seem right." The consumer version of Okey Monitoring is free to use, and the company plans to make money in other ways like corporate partnerships, he said.
But Sakari is only one company. And there are plenty of others available in this overlooked industry.
Tuketu said that after one provider cut-off their access, "it took us two minutes to find another."
Lorenzo Franceschi-Bicchierai contributed reporting to this article.
Update: This piece has been updated to include a response from NetNumber. Originally, Tuketu said Okey Systems has gained access to AT&T’s SIM database. Tuketu misspoke; instead the company has sought access to such databases.
Subscribe to our cybersecurity podcast CYBER, here.