Disturbing New SMS Hijack Blamed on NetNumber IDs

Last week Vice published an article by Joseph Cox with the title “A Hacker Got All My Texts for $16”. If you have not seen it yet, then I recommend you read it now, then come back and read the rest of this. Telecommunications is an industry that talks plenty about security and privacy but which deserves its woeful reputation when it comes to abusing end users. Cox’s article explained how business SMS services aimed at enterprise customers provided a back door for bad actors to simply pretend that your phone number belonged to them, with no checks to verify if that was true. This happens when resellers fill out a Letter of Authorization (LOA) which tells their wholesale carrier they have the rights to a number, whilst the wholesale carrier trusts the LOA is reliable. SMS messages meant for you could then be rerouted to a different number, and you would have no way of knowing it had happened. With a SIM swap you can see that service to your phone has been interrupted, whereas this new SMS rerouting hijack would be invisible to the victim.

In an era where the threat posed by SIM swappers intercepting one time passwords has been exaggerated by women’s magazines, the BBC and even official police statistics, the creation of an easier way to snatch another person’s SMS messages can only be considered a spectacular example of self-harm by the telecoms sector. SIM swapping crimes have resulted in law suits worth hundreds of millions of dollars and condemnation of telcos by famous celebrities but the telecoms industry somehow invented an additional way to hijack SMS messages because of the extraordinary assumption that nobody employed by a business might also be a crook or a danger to society. The claims made by Cox and a hacker called Lucky225 must be taken seriously, as reinforced by every operator approached by Cox choosing to hide behind a common statement from the CTIA, an industry association for US cellular telcos.

After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it. We have no indication of any malicious activity involving the potential threat or that any customers were impacted. Consumer privacy and safety is our top priority, and we will continue to investigate this matter.

Pardon me for being argumentative, but if consumer privacy and safety really were the top priority for the telecoms sector, why did the CTIA learn of this vulnerability from a journalist? And who decided the privacy and safety of users could be assured whilst allowing the rerouting of SMS messages without any confirmation from the end user?

Cox’s article includes the usual cheap political shots you might expect when he elicits quotes from politicians with no real answers because they do not understand (or do not care to understand) the subjects they voice opinions about. The ignorance of the politicians also reflects an industry that is unwilling to admit to its own failings, so chooses to cover them up and play them down instead. The studied obtuseness of these politicians will likely need to continue for a while longer because Lucky225 identified that this new form of SMS hijack was made possible by one of the key players selling services to enhance privacy and security in the US telecoms system.

There are a plethora of other wholesale VoIP providers that allow you to become a reseller with little to no verification, many of them allow agreements known as “blanket LOAs” where you as the reseller promise that you have an LOA on file for any number you want to text enable for your resellers or end-users. In essence, once you have a reseller account with these VoIP wholesalers you can change the Net Number ID (NNID) of any phone number to your wholesale provider’s NNID and begin receiving SMS text messages with virtually no authentication whatsoever. No SIM Swap, SS7 attacks, or port outs needed — just type the target’s phone number in a text box and hit submit and within minutes you can start receiving SMS text messages for them.

The hijack method used by Cox and Lucky225 is enabled by SMS routing built upon NetNumber’s data. If you can change the data, you can change who receives the SMS message.

NetNumber is also a major player in the rollout of anti-spoofing technology for voice calls, positioning themselves as suppliers of the ‘most comprehensive’ solutions for STIR/SHAKEN, the protocols designed to ‘lock out’ fraudulent voice callers. The US has set a June 2021 deadline for the adoption of STIR/SHAKEN, creating a gold rush for suppliers of this technology. When the demand for STIR/SHAKEN has been satisfied in the USA the suppliers of this technology hope to convince regulators in countries like France and Germany to generate new demand for the same systems. As NetNumber observes in their own advertising, “other governments are expected to follow with similar requirements.” Assertions like these can be found everywhere, but none clarifies who is setting the expectations for these governments.

NetNumber’s role in routing SMS messages illustrates the risk in creating a telecoms infrastructure designed to restore trust without being clear about who gets to decide which businesses are trustworthy. Lucky225 struck at the heart of the matter through an article he published on Medium:

NetNumber does have the ability to ‘lock’ specific numbers/carriers from being hijacked, however this doesn’t really solve the issue. As an unregulated quasi-authority for SMS routing they have made mistakes in the past. For example, this specific issue of number hijacking was highlighted in a QSI Consulting Exploratory Paper when ZipWhip had been using anti-competitive tactics to insert themselves as the sole SMS text provider for toll free numbers. “The arrangements between the mobile providers and Zipwhip created a de facto monopoly provider for Toll-Free texts to and from roughly 100 percent of the nation’s mobile subscribers”…

…All of this was enabled by NetNumber who would assign ZipWhip’s NetNumber ID (NNID) to these toll free numbers, and who would presumably refuse other SMS providers to assign their own NNID to these toll-free numbers.

Lucky225 further illustrates the seriousness of the competitive issues within the realm of business SMS messaging whilst explaining the ‘precautionary measures’ taken by CTIA.

Up until sometime on Thursday, March 11th, 2021 NetNumber was allowing any and all wireless phone numbers to have their NNIDs reassigned or hijacked without any authorization or verification as well… it appears they have devised a scheme to pretend this is no longer a problem by temporarily not allowing wireless numbers to be hijacked. Their quick fix however brings more questions than answers. If wireless numbers are locked to the carrier they’re already assigned to then what is the purpose of NetNumber’s database? The carrier information about a wireless number can easily be looked up in NPAC without querying NetNumber to see where to send an SMS message to, and why decide only now to offer this protection to wireless numbers and only wireless numbers?

The CTIA represents mobile providers, so their reassurances may have understated the risks to consumers in general, as Lucky225 also points out.

Furthermore, people use VoIP numbers instead of their real wireless numbers for various services and those folks are still left vulnerable to this attack while only those who don’t care about their privacy and use their real mobile numbers are protected.

Lucky225 went on to demand increased oversight of NetNumber.

The point here is until NetNumber is regulated by the FCC (and the various other telecom regulatories that NetNumber operates in), nothing in their database can be trusted. They make unilateral policy decisions on the fly for whatever purpose suits them.

The importance of these issues is further underlined by the observation that the risk of hijacking SMS messages via an abuse of NetNumber IDs is not really new at all. Lucky225 and others observed the danger as early as 2018.

It may well be the case that users are better protected by businesses like NetNumber who understand what they are doing and play a central role in managing key aspects of telecommunications than by the hoards of telcos engaged in buying and selling capacity. However, I believe too tight a focus on the technical aspects of telecommunications can cause us to lose focus on the drivers of risk. When it comes to any process designed to enhance trust, there will always be an irresolvable root problem: who is trusted to decide whom else is trustworthy? This problem is exemplified by SMS hijacking using NetNumber IDs, but it equally occurs in the context of email, the web, and voice calls. The more we focus on details like NetNumber IDs, the more we lose sight of the fundamental issues that governments should be grappling with, but usually fail to appreciate because they rely too heavily on experts employed by businesses with vested interests.

The reasons to give enterprises the ability to receive SMS messages at numbers which are not actual mobile phones are also the reasons why supporters of STIR/SHAKEN are busily identifying ways for enterprises to spoof their own caller IDs. Enterprises do not behave like end users, and they do not want to behave like end users. They do not like being spoofed by bad actors, but they want to spoof for ‘good’ reasons. Enterprises want to be connected to the telecoms ecosystem in ways we would never allow for end users because we would not trust ordinary people to behave themselves. But enterprises are staffed by ordinary people too.

Whilst hackers and bad actors may be teenagers working from their basements, or professionals employed by foreign governments, they may also work for legitimate businesses, and for not-so-legitimate businesses. Such a business might sit in the same country as you, or it may sit in a foreign country. If a decision can be made to water down security so a business can do something that an end user cannot, who do you trust to make that decision, and which businesses should get preferential treatment? However you might answer this question, it is unlikely you would trust the decision to someone whose income depends on pleasing business customers. The very reason why the US has such a huge problem with robocalls, and hence has a need for STIR/SHAKEN, is because some businesses will engage in unscrupulous practices to make sales.

There are individuals who will never trust the private sector to protect them, and that is evident from some of the quotes in Cox’s article. On the other hand, it unlikely that a business based in a foreign country, like China, will have much confidence in officials appointed by US politicians. Telecommunications is global; thinking all problems originate and end in the USA is one of the worst weaknesses of the US approach to protecting its own citizens. Whilst US politicians might have valid reasons to raise concerns about foreign outfits like Huawei, they do themselves no favors by depending on firms that made this new form of SMS hijacking possible.

It is unlikely the US approach for reducing fraud globally will undergo any significant improvement, no matter who lobbies them. The plan for rolling out STIR/SHAKEN across borders will be as much driven by harsh commercial realities about where call centers are located, and hence who might be excluded from lucrative business contracts, as any rose-tinted vision of international collaboration for the good of all. The interplay between the interests of national governments, privately-owned businesses and the largely privatized management of consumer protection will continue to prompt questions about who should trust whom, without much prospect of delivering common and convincing answers.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.