A hacker demonstrates how he can read a text message from a journalist — all he has to do is register the number with a direct marketing service. A hacker who calls himself Lucky225 demonstrates this to the online magazine Motherboard.
According to this, it is sufficient at least for cell phone numbers in the USA to create an account with the Sakari service, which is supposed to support well-known personalities or companies with direct marketing and the sending of bulk SMS. A cell phone number can be stored there, and then SMS can be received and sent via an advertising interface. In the cheapest plan, this costs $16 per month.
Although customers must confirm to the provider in an authorization letter that they are not using the service for illegal, harassing, or inappropriate behavior, it does not verify that the mobile phone number really belongs to the person who registered for the service. All you need is a signature confirming that the number is yours.
In order to prove how easily such services can be misused, Lucky225 registered the mobile phone number of the motherboard journalist and T-Mobile customer Joseph Cox with Sakari — with his consent. A short time later, Lucky225 was also able to receive and read the SMS from Cox – and write SMS on his behalf.
The journalist Brian Krebs explained Lucky225 that we are dealing with an industry-wide problem, not that was confined to Sakari. The provider is part of a much larger, unregulated industry that can be used to hijack SMS messages for many phone numbers. Sakari has now taken steps to make abuse of the service more difficult.
In addition to a massive data protection problem, the attack is also an immense security gap. Codes sent via SMS are often used for two-factor authentication (2FA) and can therefore be easily intercepted.
For just $16, complete online identities can be taken over from real people.