A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals.
The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS.
Off to a great start for a technology nobody is waiting for. WhatsApp and WeChat have replaced SMS, and unencrypted, vulnerable nonsense like RCS is not going to change a single thing about that.
Thom Holwerda,
Meh, I’m not a fan. Some offshore developers asked me to use it because they didn’t want to pay long distance to talk to our shared client. I tried to accommodate them, but there was no linux client. So I went and tried the windows client only to find out that it is non-functional unless you first install the android or iphone client. Whatsapp refused to let me register with my business phone and frankly my personal cell phone is non of their business. Not a big loss, I prefer federated and open services. and was never a big fan of proprietary services like whatsapp anyways.
Regarding the end to end crypto, just be aware that most of these proprietary services are not fully impervious to wiretapping because the service (whatsapp in this case) controls the directory of public keys. If you haven’t taken steps to independently verify the keys of your contacts, then you are technically relying on whatsapp to authenticate the parties. Alas, whatsapp could be compelled by a court order to compromise the keys you are using to encrypt your traffic.
This link doesn’t state the risks all that clearly, but I quoted the part about additional precautions to prevent man in the middle attacks:
https://www.techworld.com/security/whatsapps-end-end-encryption-explained-what-is-it-does-it-matter-3637803/
You need to do this with all your contacts, and ideally you’d refresh/reverify your keys periodically. This is synonymous to the “key signing parties” that PGP users used to have.
Oh dear, someone else who thinks that because everyone in *their* circle of contacts, or *their* part of the world, uses one of these proprietary solutions, that SMS is neither necessary nor useful.
SMS does not require mobile data, it’s available everywhere, built-in everywhere, is used as “2FA” ::eyeroll:: by many banks and even government agencies in some countries.
With its fallback to SMS and its eventual ubiquity (on Android, at least), RCS *can* be the gradual successor for basic use, even if the proprietary alternatives maintain popularity in some places and situations.
Yes, the anti-RCS commentary seems like the perspective of a privileged individual who has completely missed the point.
Try WhatsAPP or WeChat over a low cost low bandwidth LoRa and see how you go, at least RCS is an attempt to deliver some enriched communications to places that are not the domain of an iPhone X, Google Pixel 4 or Samsung Galaxy S10+ generation!
WhatsApp seems to be more common in poorer countries than in richer countries
https://www.statista.com/statistics/291540/mobile-internet-user-whatsapp/ while RCS isn’t available in most countries yet
WhatsApp also works on extremely lowend devices and has been doing so for many years while RCS works….well….let’s say that it’s implementations leaves something to be desired: https://www.theverge.com/2019/10/18/20920928/pixel-4-rcs-messaging-no-support-verizon-tmobile
Of course an app normally doesn’t compete with a communication standard, but in this case I would say that WhatsApp is for more relevant to the way people communicate than RCS and this will not change anytime soon
Form personal experience Brazilians uses Whatsapp because it doesn’t use minutes… they only get messages when on wifi but, that is an acceptable trade off it it doesn’t use up their minutes which are relatively expensive.
10 years ago there was this thing where if you made under a 3 second phone call it it didn’t deduct minutes…. may still be that way but people would communicate in 3 second bursts it as quite funny… similar to the 10 10 220 commercial where the guy says his name is “Hadababi Itsaboi”.
I’d much prefer a native, universal standard for messaging (which SMS has been and RCS will likely become).
I’d much prefer a native, universal standard for telephony.
I’d much prefer a native, universal standard for video calling (which we used to have 3G-324M for, and it looks like ViLTE will become).
Having third party apps and such over generic data connections is a nice thing to have, but when you need it to work, across brands, across platforms, across providers – you need a standard that works no matter what.
The1stImmortal,
I agree with you. Proprietary services are rather concerning as an alternative to universal open protocols. You end up being at the whim of a single service provider with all the control and say in terms of what to support. Whatsapp is already inaccessible for certain platforms and devices including mine.
Another point is about the kind of future we want. People are wary of the abusive monopolies once they’re here, but don’t seem to put much energy/forethought in avoiding them before they happen when it’s far easier to prevent. Once you have a monopoly, the network effects mean we get stuck with the monopolies for the long term and just because a corporation is consumer-friendly today does not mean it will be tomorrow.
> WhatsApp and WeChat have replaced SMS
What about “older people” who want to chat, but don’t want to “figure out something new and complicated”? And all the seemingly-never-ending complexities of such applications? (Meaning “bolted on this and that”)
(Sorry, I just spent 10 minutes of my non-caffeinated-yet morning with my mother trying to download a free knitting pattern from a website, not realizing that when she signed up for the “free email newsletter” – she wasn’t *signing up an account for the site itself* need to download it. Even though she wasn’t paying anything for it.)
“WhatsApp and WeChat have replaced SMS, and unencrypted, vulnerable nonsense like RCS is not going to change a single thing about that.”
Really? I guess I have to tell my AT&T Z432 *THAT* since it doesn’t know what the hell WhatsApp and WeChat is,and sends and recieves SMS messages from work and other places and people just fine….