Writing and receiving SMS, be it with family, friends, or for some two-factor authentication methods, is something that everyone is very used to by now. Almost no one stops to think how it happens or how secure it is.
Now Sébastien Kaul, a German security researcher has an answer for that: not that much, it seems. He recently revealed that the Voxox database leaked all their information for everyone to find and access.
No security measures whatsoever
Voxox is a California based communications company. It acts as a gateway between companies that send out text messages, for example to convert a two-factor authentication shortcode into real text messages that will be delivered to the end-user’s phone.
To get to the data he wanted Kaul used Shodan, a search engine for publicly available devices and databases. Just to make sure you see the issue here: A database like that should NEVER be anywhere in a search engine for publicly available anything.
Once in the database Kaul was able to extract loads of information without any issues or obstacles. The recipients’ cell phone numbers, the messages, the customers who sent the message and the shortcode they used. It’s all there. All in all there were 26 million entries until it was taken down after the breach.
Katz, a security researcher who reviewed the findings told Techcrunch that this is indeed very bad. “My real concern here is the potential that this has already been abused,” he said. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”
Nonetheless, considering that some companies only require a phone number to reset an account the possibility or breached accounts are huge.
If possible, don’t use SMS based verification
While better than nothing SMS based authentication also is one of the weakest options. Some time ago Reddit, who was using the same technique for their employees, had to find out that it actually can be exploited.
The above database issues are just another examples of why you should switch to another method if possible.