Computer, network, and cloud security may be major concerns for your business, but have you considered the security of your texts? The truth is, text messaging isn’t secure, and can be accessed by carriers, government agencies, phone manufacturers, and hackers easily.
Read on to learn about the security capabilities (or lack thereof) of short message service (SMS or text) messaging, the threats that are out there, and what you can do to better protect your messages from malicious eyes. Whether you’re texting for business or for personal use, this information is crucial for you to know.
What Are the Security Issues With Text Messaging?
Text messaging has major security issues as carriers, government agencies, phone manufacturers, and hackers can gain access to your texts.
Carriers Store Information About Your SMS Messages
The first security concern with text messages is the fact that most (if not all) carriers store your SMS data on their servers. Verizon, AT&T, T-Mobile, you name a carrier, they likely do it. None of them have what’s known as “no-log” policies, which stipulate the nonstorage of any activity that passes over their networks.
However, the major carriers claim to not store the actual contents of messages, although you can take that for what it’s worth. Instead, they admit to storing “metadata,” which includes the dates, locations, and times that messages, calls, and searches are made as well as the other parties involved. This data is stored for an indefinite amount of time, but some reports show that carriers keep message data anywhere from a few days up to seven years. While this metadata might seem harmless, there’s a lot of contextual information you can discern from it.
This concept is described above as “linkability,” in which metadata is used in aggregation to make inferences about your behavior and things that you do. This information can then be weaponized against you by hackers to exploit all kinds of potential dealings in your life and even blackmail you or your business. While this video describes the use of metadata by governments, this same idea applies to hackers that exploit carriers and use data against you.
Governments Can See Your SMS Messages
You can’t talk about privacy without bringing the government into it. We know from the Snowden leaks that there’s participation between the major telecommunication/tech companies and the National Security Agency (NSA) to conduct warrantless surveillance of communications. Can you trust the government with your texts? Probably not.
Governments may use unsecure, antiquated systems, and hackers are always looking for unpatched and outdated software to breach. These systems might be used to store text messages in investigations or even the metadata of smartphones, which potentially leaves your data exposed. This is a concern for everyone since we all have sensitive information stored somewhere in federal or state government systems.
Even if your text information is secure with the government, you might prefer to keep it out of their hands. Let’s say your business is very activist-friendly or critical of a particular administration or government official. It isn’t beyond the pale to suggest that politically motivated surveillance occurs and that using unsecured methods of communication like SMS messages can leave you potentially exposed to blackmail, intimidation, or mistreatment. Nothing is really off the table.
Phone Manufacturers Store Your Messages
While I can’t definitively claim that phone manufacturers read your text messages, the more advanced manufacturers that utilize cloud storage for backups and phone transfers certainly store your text messages on their own servers. This is a price we pay for the convenience of having the ability to move seamlessly from one smartphone to the next without losing any data and settings. This goes for iOS and Android.
While companies like Apple have taken a stance when it comes to privacy on your own smartphone by not creating any backdoors to access a locked device, the same cannot be said for its iCloud services. As for Android, which is created by Google, the company claims that your cloud data “is your own” and that none of it’s sold to third parties. If we’re looking at this realistically, neither company has been caught snooping around our cloud data and our text messages, but that’s not to say that it isn’t possible.
The truth is, cellphone manufacturers are willing to cooperate with authorities and hand over information that they have access to. If a legitimate warrant comes through seeking text message data stored on a server of theirs, you can bet they’ll give it to them.
As for overall security, it’s possible to breach cloud services, but usually on a more individual level. So, attackers are far more likely to gain access to your text messages through a fault of your own ― phishing scams or weak passwords ― than by hacking into Apple or Google’s servers.
SMS Messages Can Be Intercepted by Hackers
Finally, it’s time to address the overall security of SMS messaging. The truth is, SMS messaging is incredibly antiquated and vulnerable to interception by hackers. SMS is like the fax of messaging systems. It’s built on an archaic architecture that is unencrypted, and once messages are sent over the cellular network, they’re vulnerable to interception.
It’s so easy that only a few dollars may stand between you and someone’s stream of text messages by using SMS mass marketing applications, according to Krebs on Security:
“The “how they did it” was sickeningly simple. It cost just $16, and there was precious little to prevent someone from stealing your text messages without your knowledge. Cox writes:
“Sakari offers a free trial to anyone wishing to see what the company’s dashboard looks like. The cheapest plan, which allows customers to add a phone number they want to send and receive texts at, is where the $16 goes. Lucky225 provided Motherboard with screenshots of Sakari’s interface, which show a red “+” symbol where users can add a number.
“While adding a number, Sakari provides the letter of authorization [LOA] for the user to sign. Sakari’s LOA says that the user should not conduct any unlawful, harassing, or inappropriate behavior with the text messaging service and phone number. But as Lucky225 showed, a user can just sign up with someone else’s number and receive their text messages instead.“
That’s insane, to say the very least (albeit very creative). Attackers don’t need to hack into your phone to gain access to your texts. All they need to do is misuse software meant for other purposes to intercept your unencrypted messages.
How to Secure Your Text Messaging
Obviously, the first step you’ll want to take for text messaging security is to ditch SMS altogether, at least when it comes to sending any kind of sensitive information. It’s an old dinosaur of a messaging system and can barely be trusted with little more than simple “greetings” or other mundane conversations about last night’s episode of “The Voice”:
- iPhone users: The least you should do is to make sure that iMessage is turned on when communicating with other iPhone users
- Android users: Update your Android as recently updated Android users have access to what is known as RCS messaging coupled with end-to-end encryption; Android users only recently gained this benefit as of 2021
The problem with these two systems is their incompatibility with one another as any iPhone user can recall the green text bubbles that appear ― as opposed to the blue ― when texting an Android user. This means that messages sent between these two different operating systems are defaulted down to SMS messages without any encryption.
The solution to this incompatibility is to adopt one of the many encrypted messaging applications available to bridge the gap between iPhone and Android while keeping a lid on your messages. Using asymmetric encryption, these applications prevent snooping eyes from reading the contents of your messages, ensuring your privacy.
These applications include:
Not only will hackers not have access to your text messages, but neither will phone carriers, governments, and manufacturers. These apps are so effective that they’re even catching the ire of certain lawmakers who are trying to weaken the strength of these encryptions actively. That should tell you something about just how secure these applications are from prying eyes.
Upgrading Your Security From the Bottom Up
Updating your cybersecurity stack the right way is a holistic process that requires attention to all parts of your business. This includes upgrading your network security software, implementing a new firewall, or changing the way you conduct business communications, such as dropping SMS messaging.
Whatever you’re looking to improve, Digital.com has countless guides, reviews, and best practice articles to help you secure your business the right way. Be sure to check back for regular updates to our content and new insights into the future of cybersecurity.