How RCS exposes mobile users to hackers

5 min
I
July 13, 2022

In 2019, Google and several mobile operators started implementing a new communication technology, Rich Communication Services (RCS) [1]. RCS was introduced to replace traditional calling and text messaging (SMS). The technology included also new messaging possibilities and features. The idea was to make native text more competitive to popular digital alternatives like WhatsApp and iMessage.

RCS is based on internet protocols like SIP and HTTP to implement group chats, video calls, file transfers and more. In 2019 SRLabs’ researchers conducted a worldwide survey to estimate security risks in active RCS deployments.

Key findings on RCS security

  • The provisioning process for activating RCS functionality on a phone is badly protected in many networks, allowing hackers to fully take over user accounts by stealing RCS configuration files that include SIP and HTTP credentials
  • Andorid Messages, the most popular RCS client, does not implement sufficient domain and certificate validation, enabling hackers to use DNS spoofing to intercept and manipulate communication
  • Some RCS core nodes do not effectively validate the user identity, allowing caller ID spoofing and fraud through SIP message injection
  • VoWiFi-enabled smartphones expose users to new WiFi-based IMSI catcher

How popular is RCS?

In June 2019, Google officially announced their plans to release RCS on all Android phones starting with trials in the UK and France. In November 2019, RCS was rolled out to all Android smartphones in the US, and operators in other countries were running trials. As of 2022 there is no exact data how wide-spread RCS is, but as it is natively integrated in all Android Smartphones around 70 % off all smartphone users own at least one RCS capable device.

In 2019 SRLabs conducted an internet survey using DNS queries directed to RCS specific domains, confirming the presence RCS servers in many countries.

In 2019 RCS deployments span 67 countries, a couple more are conducting trials

How secure is RCS?

When RCS was released internationally, SRLabs researchers found a range of vulnerabilities that allowed different hacking attacks against some deployments. Not all vulnerabilities applied to all networks.

The issues included:

  • User Tracking
  • Impersonating Users
  • Conducting Fraud
  • Website DDoS
  • Intercepting texts

Impersonation (caller ID spoofing), fraud and user tracking could be achieved by criminals without using sophisticated equipment or requiring any additional target information. Depending on the networks configuration, attackers could locally and remotely intercept One-Time-Password (OTP) codes sent via SMS, and attempt to authorize fraudulent bank transactions or take over email accounts. Details of these hacks were also presented at BlackHat Europe 2019 [2].

The detected issues made RCS deployments as vulnerable to hacking as legacy mobile technologies, such as 2G and SS7, according to the SRLabs experts.

For example, a local Man-In-The-Middle (MITM) attack allowed hackers to intercept and manipulate all user communications. The underlying issue was that the RCS client, including the official Android messaging app, did not properly validate that the server identity matches the identity provided by the network during the provisioning phase. This issue can be abused by DNS spoofing, enabling hackers to be in the middle of the encrypted connection between the mobile and the RCS network core.

This video by SRLabs demonstrates how RCS allowed hackers to impersonate subscribers by spoofing their IP address:

This video demonstrates a MITM attack, in which messages can be intercepted and modified:

A demo video showing how a user’s config file can be stolen can be found here:

These vulnerabilities can allow attackers to intercept OTPs that can be used to take control of critical accounts:

Can these attacks be mitigated?

Mobile networks are variably affected by these vulnerabilities depending on gaps in their individual implementations and configuration. All vulnerabilities found relate to common security mistakes that can be mitigated by applying the following best practices:

Research by: Sina Yazdanmehr (@SinaYazdanmehr), Luca Melette, and Lukas Euler

References

[1] https://www.gsma.com/futurenetworks/rcs/

[2] https://www.blackhat.com/eu-19/briefings/schedule/index.html#mobile-network-hacking-ip-edition-17617