Late Wednesday, I received a string of text messages that appeared to be from U.K. government bodies. Two, from BritishGOV and HOMEOFFICE, simply copied the general warning that had gone out earlier in the week, telling people to stay at home. Another, from BORIS, noted that “SMS is still insecure as fk.” The last, appearing to have been sent direct from the NHS, simply read: “Oh for God’s sake.”
They didn’t come from government sources, as they appeared to, but from cybercrime researcher Chris Monteiro, who was trying to show how easy it was to spoof government warnings via text. Just like real government mass alerts, the texts didn’t have associated phone numbers, but appeared to come from named, official organizations.
And when customers are expecting to see coronavirus warnings via text, they’re easier to trick, Monteiro warns. “When you are expecting mass SMS messages, the protection of ‘Was I expecting this message?’ goes away,” he says.
Monteiro was able to create these spoof messages because of long-known shortcomings in the text message protocol—SMS. It’s problematic from a security standpoint, as there’s no way to verify the identity of the sender. Tools like WhatsApp check the sender ID by looking at whether they have an encryption key that only the real person should own. If the sender doesn’t have that key, they’re an impostor.
Even email, that now ancient-seeming messaging tool, has ways of checking a sender’s legitimacy. For instance, there’s a protection known as DomainKeys Identified Mail (DKIM). When used, the sender signs an email with a digital signature. This proves it came from the true domain (e.g., @forbes.com) from which it appears to have been sent. Again, this is done using encryption keys.
SMS— The Weak Link
SMS doesn’t have any such checks. As Monteiro bluntly puts it, “There is no standard for securing sender identities.” And cybercriminals have already taken advantage of this weakness with their COVID-19 scams, taking advantage of people’s trust in texts that appear to come from legitimate sources. Earlier this week, Forbes reported on text spam sending links to a fake Fox News article that suggested CBD oil was an effective coronavirus treatment. Monteiro also shared a scam message that told U.K. citizens all residents had been given £258 to help them during the pandemic.
Monteiro says he used an Amazon Web Services server to send his messages. But, if he were a real scammer, it’d be easy to scale up the attack and start a spam campaign with any mass-texting service, whether they’re legal or not. “Scaling is very, very easy,” he adds.
The U.K. government has put in some protections, but they’re limited. For instance, it has managed to have telco companies filter texts that come from UK_GOV and UKGOV so they can only come from official channels. As Monteiro showed, it was easy to create other believable sender names. “Arguably, the issue is not that spoofing is easy, but that identifying a legitimate message is inherently hard,” he tells Forbes.
Whilst the U.K. has started using WhatsApp for providing information to the public on coronavirus specifics, it’ll still have to use text messages. Not everyone uses the Facebook-owned messaging service, after all.
“The problem about sending alerts is that SMS is still the most ubiquitous and likely to reach the most people,” says professor Alan Woodward, a cybersecurity expert from the University of Surrey in the U.K. “It’s not ideal, but to be frank, in the U.K. we have little alternative.”
Not that the U.K. is alone. The same goes for any other nation using SMS for mass alerts. If you do receive a COVID-19 message appearing to come from your government, it might be best to avoid clicking on any links within. Instead, search for official sources of information online, such as gov.uk/coronavirus.