SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.

June 23rd, 2016

Security firm Positive Technologies has published a report (see their overview of attack on one time passwords and PDF of the SS7 security problems) that explains how attackers can easily attack the protocols underlying the mobile text messaging networks (i.e. the Signaling System 7 or “SS7” protocol).  In their report, they indicate how this makes it easy to attack the two-factor login methods and password recovery schemes where a one-time security code is sent via an insecure text message.

Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user.

SMS is Insecure due to SS7 protocol

This result also means that attackers can read all text messages sent over these networks. Beyond the serious implications with respect to attacking accounts and identity theft via access second-factor authentication codes, this work means that all communications over text message must really and truly be considered insecure and open to the public.

In the past, we have all acknowledged that text messages are insecure in that they pass through the cellular carriers in plain text, can be archived and backed up, could be surveilled by the government, etc.   However, most people have been very complacent about this insecurity … still trusting their cellular carriers, trusting that attackers would really have a hard time actually accessing these text messages.  As a result, people have been sending sensitive information via insecure text message for some time … giving security short shrift and going for convenience.

This includes ePHI — medical appointment notices sent to patients, communications about patients between medical professionals, etc.

The publications by Positive Technologies confirm what the security community has known since at least 2014 … the infrastructure underlying SMS is old and fragile and easily attacked.  What can attackers do?

They can transparently forward calls, giving them the ability to record or listen in to them. They can also read SMS messages sent between phones, and track the location of a phone using the same system that the phone networks use to help keep a constant service available and deliver phone calls, texts and data.

The danger of breach, especially a targeted breach, is real.  As a phone number is identifying information, any text message that refers to that person’s past, present or future medical condition or scheduling or billing is ePHI and must be protected by the medical community.  It is easy to imagine an automated attack on the SS7 protocol that could identify very large numbers of such messages laden with PHI.   That attack would be an automatic breach and the discovered use of SMS for ePHI could be considered willful neglect under HIPAA.

The take away?

Sensitive communications, especially where HIPAA compliance is involved, must never take place over insecure text message (SMS) channels.  It is time to move on to secure communications applications or secure texting solutions.