RCS: SMS successor becomes security risk

Friday, 29.11.2019
16:31 clock

If you have forgotten your password, you can have a text message sent to many online platforms. This way, a password change can be made. However, such a step can also be quite risky, as findings by security researchers show. They have discovered that criminal hackers could access short messages and whereabouts of smartphone users through a vulnerability in network operators – and thus also get SMS codes.


The reason for this is obviously a problem with the successor standard of SMS, the Rich Communication Services (RCS). As first reported by the "Süddeutsche Zeitung" and "Vice", researchers from the Berlin-based IT security company SRLabs have discovered that network operators are partially sloppy in implementing the standard – making it sometimes quite easy for attackers to access data.

Here are the answers to the most important questions.

What exactly is RCS?

  RCS is being traded as a successor to the classic SMS. But so far RCS has not made the big breakthrough – even though software companies and mobile service providers have been working on the standard for more than ten years.


In contrast to the standard SMS, videos and pictures can be sent via RCS, even video calls are possible. It also indicates whether the recipient has read the message.

  As early as 2012, a major marketing offensive was launched with the aim of countering successful messengers such as WhatsApp with RCS. The new standard should ensure that network providers with short messages finally make money again. Practically, however, many people still text messages by SMS – often on tariffs with SMS flatrates.

What kind of problem have the researchers discovered?

  According to SRLabs, the hackers have been able to tap so-called RCS configuration files from mobile service providers, which are actually intended only for the owner of the respective SIM card. This file is practically the smartphone's access card to access online SMS. With this file but also attackers could read the SMS of their victims and intercept codes, for example, to reset passwords for e-mail accounts. Which network providers were exactly successful, the hackers do not make public.


Obviously, many RCS configuration files are only sloppily secured in practice. In one case, the server has requested a six-digit code, but the number of input attempts is not limited, they say. In another case, the IP address of the device was enough to download the file. The IP address can also be fooled by, for example, surfing in the same WLAN.

  "RCS is introduced very unclean," says Karsten Nohl of SRLabs DER SPIEGEL. "We are disappointed that our research in recent years has had no effect."

Who is affected by the vulnerability?

  Potential victims of attacks are basically all users with modern smartphones, who move in a network that dominates RCS. Even RCS content users do not have to send. The vulnerability makes it possible to access both RCS messages and SMS, according to Karsten Nohl. According to him, more than one hundred mobile service providers worldwide offer the new standard, so he estimates that more than one billion users are affected.

  "The fact that the standard is so insecure surprised us," says the IT expert. "Nobody asked for an alternative to SMS." But now even cell phone users are potentially affected, the RCS do not apply. Which smartphone the victims use, plays it hardly a role. Technically, almost all modern models are able to send and receive a short message with RCS.

Who is driving the technology forward?

  Most phone providers have agreed that RCS will inherit the SMS. Mobile service providers worldwide support the standard in almost 70 countries. In Germany make with Vodafone and the Telekom two major network providers. In addition, above all, Google is the driving force behind RCS. The group has the standard already partially anchored firmly in Android devices.

  The US company is working with mobile operators to establish the standard. Some users of Google's Android Messages chat app can choose to use RCS by default for sending short messages.

  However, experts doubt that the triumphant progress of WhatsApp, iMessage or the Facebook Messenger can be stopped with state-of-the-art technology alone. "RCS is much worse than all free alternatives like WhatsApp," says Nohl. "That's final goal panic." Google noticed that the train was almost worn out and RCS was the last chance.

How can users protect themselves?

  "Users can not do anything about it," says Karsten Nohl. "The network operators are responsible for protecting their customers."

  According to the "Süddeutsche Zeitung", Vodafone has already taken a number of measures to protect the RCS services. The telecom refers to the reaction of the GSM Association (GSMA), which is responsible for the standard worldwide. Following a request from SPIEGEL, the GSMA announced on Friday that they were grateful to the researchers for the report, saying "but not pointing out any new weaknesses".


According to a spokeswoman for GSMA, there are problems with the implementation of RCS, but not problems of the RCS standard itself. The research results of the SRLabs will be presented to an expert commission next week.

  In the long term, according to Karsten Nohl, only the change to the current RCS version 6 brings an improvement. Previously, network operators would still use the previous version. The conversion will take a while. With the new version, the Sim card is the key on the servers that can not easily be imitated.