When the FBI warned iPhone and Android users to stop texting, it caused a viral storm. It exposed SMS messaging (again) for being woefully insecure and vulnerable to attack. This was nothing new — texting has been the subject of countless warnings, especially when it comes to its widespread use for two-factor authentication (2FA) and by cyber criminals sending millions of unpaid toll and undelivered package messages.
The smart advice has been to switch to a fully encrypted platform. WhatsApp usually comes top of the polls, given its vast 3-billion-plus user base, its ease of use, and its seamless interoperability across Android and iPhone. Signal has always been seen as better — and was CISA’s pick as an alternative to SMS for Americans. But that gloss has been somewhat dulled by its ill-advised use for secretive war planning.
SMS cannot be end-to-end encrypted — it’s an archaic system that relies on networks to collaborate in moving messages from sender to receiver. That’s why China’s ownership, control and influence of telco networks enables its spies to intercept traffic. The answer is RCS, essentially an SMS replacement. But that’s still not fully encrypted except within Android’s walled garden — albeit that should change later this year.
As such, the advice for users is to use iMessage within Apple’s walled garden and RCS within Android’s walled garden, and then to use RCS between the two mobile ecosystems when it’s upgraded. All very simple, yes? Unfortunately not. A new warning has just thrown something else into the mix. And this is only going to get worse.
In its latest report, Resecurity warns that a new smishing (SMS-based phishing) attack on a “massive scale” is heading for iPhone and Android users in the U.S. and Europe. “One identified threat actor,” it says, “can send up to 2,000,000 smishing messages daily,” which means “up to 60,000,000 victims per month, or 720,000,000 per year, enough to target every person in the US at least twice every year.”
Nothing new here. Smishing is a top-level threat and the unpaid toll campaign sweeping America state to state has been making headlines for a year. But those are SMS text messages, and in their latest campaigns these threat actors “prefer modern messaging platforms because they provide a richer set of tools for creating convincing attacks, better engagement features, and more sophisticated methods of deception.”
The next wave of attacks will move beyond unpaid tolls texts to steal your Apple and Google Wallet card details. And “unlike SMS, which relies on cellular networks, Apple iMessage and Android RCS use internet-based communication… the ability to leverage internet-based communication and platform-specific features makes these attacks more effective and challenging to detect than traditional SMS-based approaches.”
This highlights one vulnerability that RCS and iMessage share with SMS — its integration into core network messaging. While there are attempts to filter likely spam and scam messages, and Google’s new one click spam button helps, attackers know how to revolve numbers and can even use AI to vary content to bypass defenses.
Google and Apple will have an opportunity to take back some of the ground ceded to Meta’s WhatsApp over the last decade when cross-platform end-to-end encrypted messaging finally goes live. But unless some combination of telco networks, Apple and Google can slay China’s smishing dragon, it will be impossible to recommend this as an alternative to WhatsApp, Signal or other over-the-top options.