Has the NetNumber SMS Hijack Vulnerability Been Fixed Already?

If you hang around telco fraud managers long enough, you tend to hear them say the same things repeatedly, such as the observation that fraud will never be defeated. On the contrary, they say frauds are getting worse and will keep getting worse, despite their best efforts. That makes it unusual for a popular magazine to make the eye-popping claim that “A Hacker Got All My Texts for $16” using a simple loophole that allows SMS messages to be hijacked, only for the same magazine to imply the loophole was fixed just 10 days later. That sounds like good news. So why do I feel like a conspiracy theorist who suspects a cover-up? And why did the coincidental winning of a ‘coveted’ cybersecurity award make me even more suspicious?

Joseph Cox of Vice wrote on March 15:

A gaping flaw in SMS lets hackers take over phone numbers in minutes by simply paying a company to reroute text messages.

Cox was referring to the potential to corrupt data maintained by a business called NetNumber. NetNumber’s data is used by comms providers to determine how to route SMS messages. A simple loophole identified by a hacker called Lucky225 showed it was possible to claim the rights to manage a phone number without any real authorization or proof, and so alter NetNumber’s data with the result that SMS messages are rerouted from the intended recipient to a different phone number. That sounds pretty scary, especially given all the fuss about other hackers relying on more elaborate methods like SIM swaps and SS7 surveillance to achieve the same goal of intercepting SMS messages. However, Cox had reverted to a much more reassuring message by March 25:

All the mobile carriers have mitigated a major SMS security loophole that allowed a hacker to hijack text messages for just $16.

Phew. Put simply, Cox wrote that the biggest US mobile operators have made the NetNumber database defunct for any phone numbers used by their customers. So why am I not convinced that the risks have been eliminated?

One problem with Cox’s follow-up story is that the fix he discusses on March 25 was already mentioned in his original March 15 article. In the original he mentioned how US trade body CTIA, which represents the big three US mobile operators, had already said:

After being made aware of this potential threat, we worked immediately to investigate it, and took precautionary measures. Since that time, no carrier has been able to replicate it.

Lucky225, the hacker who demonstrated the hijack vulnerability to Cox, independently confirmed the fix when I contacted him. However, that fix only prevents the hijacking of messages sent to the phone numbers associated with those US mobile operators, and seemingly has not been implemented for other numbers. To apply the same fix globally would effectively render NetNumber’s routing database obsolete.

A vulnerability like this will have been communicated to the highest echelons of the US communications industry, including the top people at national regulators. They will have heard about this vulnerability, but they do not seem to have much to say about the risks created by a US business that maintains a service with a known vulnerability and which is, per the words of NetNumber’s founder and Chief Strategy Officer, “now widely used by fixed-line, mobile, cable/Multiple System Operator (MSO) and Over the Top (OTT) service providers to route calls and messages on a global basis”.

This refusal to talk openly about a threat to ordinary people is at odds with another truism you often hear from fraud managers: that we need to help customers to protect themselves by making them aware of risks. A fix for the three largest mobile operators in the USA is not a fix for every mobile operator in the USA. Nor will this fix protect consumers who registered for online services using an SMS-capable phone number from an internet provider like Google. Nor will this fix protect customers of comms providers outside of the USA. Lucky225 blew the lid off the risk to everybody, but the strategy adopted by the US comms industry appears to be to say as little as possible in order to limit the damage to a key US provider of routing and security services.

There is a second problem relating to the source for Cox’s story. This is how he explains it:

All of the major carriers made a significant change to how SMS messages are routed to prevent hackers being able to easily reroute a target’s texts, according to an announcement from Aerialink, a communications company that helps route text messages.

The Aerialink messaging platform became the property of iconectiv in 2019 and their name lives on as part of ‘TruReach Deliver Aerialink’, an iconectiv offering that they describe as ‘the premier messaging solution for B2C communications’. Cox shared a screen grab, purportedly taken from an Aerialink-branded website, which showed a March 25 announcement about an ‘SMS Routing and Policy Notification’ that is consistent with the mobile operator fix already communicated by Lucky225 and the CTIA. Cox also provided a link to the website from which he took his new information. This website still displays the old Aerialink brand and a series of dated announcements in the style of that shown by Cox’s screenshot… but the SMS Routing and Policy Notification had already been removed by March 26. It is difficult to understand why an obscure industry notification important enough to grab the attention of a mainstream tech journalist also needed to be removed from sight just a day later.

Like NetNumber, iconectiv is also a key US provider of anti-fraud services for the communications sector. In August 2019 iconectiv won the contract to be the monopoly policy administrator for the STIR/SHAKEN anti-spoofing system in the USA. This was awarded by the US governance authority for STIR/SHAKEN, whose board is chaired by AT&T and includes representatives of the other big mobile operators and major players like Google and the CTIA. In September 2020 the governance authority also granted NetNumber the lucrative right to be a supplier of digital authentication certificates within the US STIR/SHAKEN system.

This does not really prove anything. Nor is anything proved by observing that NetNumber’s March 25 press release said nothing about ordinary people needing to protect themselves by changing vulnerable phone numbers registered with businesses that send one time passwords. It did not say anything about the three largest mobile operators in the USA making a chunk of NetNumber’s services redundant, nor whether other comms providers will follow suit. It did say they had won an award for their STIR/SHAKEN certification product.

NetNumber announced today that its Guaranteed Caller™ (GC) Solution has won the highest-level award from the prestigious Cybersecurity Insiders organization. Nominations are accepted for products and services that cover more than 100 security award categories…

“NetNumber continues to be one of the more innovative companies in the security space and one that has contributed greatly to the security industry as a whole,” said Holger Schulze, founder of Cybersecurity Insiders and the 400,000-member Information Security Community on LinkedIn that jointly produce the awards program. “Congratulations to them for being chosen as a Gold Winner in the Communication Fraud Protection category for 2021.”

I guess it must have come as a relief to NetNumber to win a cybersecurity award immediately after a major magazine said their data could be used to undermine the security of hundreds of millions of people. The odd part about this announcement is that it says there are more than 100 categories for these annual awards. The wording is strictly correct, although 883 separate categories is a lot more than 100. I counted them all; feel free to visit the awards website if you want to double-check my tally.

Anyone applying for one of the 883 Cybersecurity Insiders awards must pay a fee of at least USD600. Winners get their name on the Cybersecurity Insiders website plus a few words of praise for their press release. The organizers stated they had ‘over 800 entries’ in the 2021 competition, implying most categories attracted only one entrant. Winning a category cannot be too hard, given that anyone who pays the necessary entrance fees may also “request a new category if your solution does not fit any existing categories”.

The NetNumber promo on the awards website explains that NetNumber “is one of the few approved STI Certification Authorities which can issue SHAKEN certificates to CSPs that have been vetted by the STI Policy Administrator (STI-PA)”. I am not so sure this is a good advert for STIR/SHAKEN, if the purpose of this new governance technology is to restore trust in telecommunications. With so many awards categories it is hard to believe any serious company or professional would actually covet one of the Cybersecurity Insiders awards.

There is no evidence of illegality amongst any of this, but some of people who claim to be restoring trust in technology and communications are going about their task in a way that is deeply unsettling.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.