SMS, which stands for Short Message Service, is being used worldwide as an easy and convenient mean of exchanging text messages over a cellular network. As more and more people have access to phones (and in turn subscribe to mobile carriers), SMS still holds a decently robust place on the leaderboard of messaging protocols.
However, SMS faces strong criticism for its inherent vulnerabilities that compromise user privacy and security. This article aims to, in a non-technical way, outline some of these vulnerabilities to try and educate you about SMS usage (and hopefully convince you to stop it as much as possible).
1) SMS is (still) unencrypted:
We’re in 2024 and SMS messages still travel the world in plain text. Telecom providers don’t employ end-to-end encryption because of various technical1, financial2 and legal bills3 they must comply with. End-to-end encryption is super important because it keeps the content of your message accessible only to you and the person you send it to. Most if not all SMS implementations around the world lack this functionality, which makes this protocol one of the most insecure ways of sending data from point A to point B.
2) SMS messages can (easily) be intercepted:
Speaking of surveillance, SMS messages can be relatively easily intercepted by attackers using methods such as SIM swapping, where they gain control of your phone number, or by exploiting vulnerabilities in the mobile network.
3) SMS and the risks of phishing:
Since SMS doesn’t offer any reliable means for sender authentication, as in you’re never actually sure if the sender of the message is who he claims he is, any company or individual can easily buy an SMS service and send you spam messages or phishing links appearing to be from a trusted source. Just like email links (or links in general), you should never click on a link that’s sent to you until you verify that the link is legitimate and comes from a trusted source.
4) Data Retention and Storage:
Your telecom company can read the texts you send and get. They keep these texts on their systems for various amounts of time, where they might be vulnerable to data breaches, law enforcement requests or unauthorized employee access.
5) Human weakness:
At the carrier level, phone numbers usually have very poor security, because your phone number’s security also depends on the knowledge of the staff handling your information. A scammer might call your phone company or go to a store, pretending to be you. If the scammer knows enough information (which can be easily arranged from your Instagram profile) and tricks customer service into believing that he’s you, he could take control of your phone number.
6) Stingrays:
Governments can use devices called "stingrays" that act like fake cell towers. When they're close to where you are, these devices fool your phone into connecting to them, just like it would connect to a regular cell tower. Once connected, the stingray can follow where you go and access your SMS text messages, similar to what your regular cell service provider can do. Tools like these are usually used by governments in high-intensity situations such as protests or criminal investigations (although there are no restrictions preventing continuous usage under the guise of “national security reasons”), raising privacy and legal concerns, as the technology can collect data from not only the targeted individuals but also other innocent bystanders in the vicinity.
Alternatives with Better Security:
Using most mainstream end-to-end encrypted messengers should offer better security then using SMS. Signal is our top recommendation, as it is the gold standard for messaging. Messengers like Whatsapp - or even Facebook Messanger (recently4) - support end-to-end encryption, which would make your messaging more secure (keeping in mind the horrible privacy practices of a company like Meta).
We recommend avoiding apps like Telegram5 or WeChat6 , because they might be even less secure than SMS, and they also pose very serious privacy risks for all users (too long to list here, will be discussed in a future post).
But maybe, there’s hope..
Apple has announced that in 2024, iPhones will support RCS messaging, which will offer better interoperability and encryption when texting with Android devices. This change is due to regulatory pressure from the European Union's Digital Markets Act1.
Apple's adoption of RCS messaging is expected to bring a more secure and modern texting experience for users, as RCS supports encryption.
SMS (with Imessage) has been getting some attention from Apple, as they announced RCS support in 2024, which might offer a way to support some forms of encryption on SMS messages.
While the future of SMS in terms of privacy and security is not clear, one would hope for improvements that address the current vulnerabilities and provide better safeguards for user information, mainly through end-to-end encryption. These improvements would serve to benefit the whole world, and are one of the most impactful changes that can be done in regards to secure messaging..
Unlike internet-based messaging, SMS was designed with a different architecture, and reimplementing it with end-to-end encryption may present some technical hurdles, such as interoperability between different carriers.
Upgrading the entire network infrastructure to support end-to-end encryption can be a costly endeavor for telecom providers. It may involve significant investments in both hardware and software upgrades.
Some governments may have laws or regulations that require providers to retain access to communications for lawful interception purposes. Implementing end-to-end encryption could conflict with these requirements.
For now this change will only apply to one-to-one chats and voice calls.
End-to-end encryption is not enabled by default, messages are stored in plain text.
WeChat uses encryption for its messages, but it's not end-to-end, meaning the messages can be accessed by WeChat, and authorities if required.