Internet privacy and security course
Aa font
AA font size
About translation
Previous Next

Chapter 65

The security problems of SMS messages

On the last day of 2015, a group of hackers RUH8 had quite a peculiar way to wish the citizens of Russia a Happy New Year: it leaked almost 300,000 text messages that belonged to Russians. The SMS histories included the dates, the data of the sender and the contents of the text.

The leaked text had the following message from the notorious hackers:

I want to remind Russians that there is no secret that won’t be revealed, there is nothing you will be able to hide, and I hope your vulgarity, lies, ignorance, lust, adulteries, affairs, mistakes, unkept promises will stay with you in the New Year! The Federal Security Service can’t protect you, the Interior Ministry of Russia can’t protect you, the Federal Service for Technology and Export Control can’t protect you, and and even Putin won't help you. Rete nostrum, we’ll be always waiting for you on the Internet.

How this kind of incidents should be handled is up to law enforcement, while I want to draw your attention to the fact how unsafe text messages are. Sending a text message is probably the most dangerous ways to send information. SMS leaks happen so frequently it’s scary, and these leaks occur for various reasons.

The most notorious scandal to date is the leak of the text messages sent from the website of the telecommunications operator MegaFon in 2011. You probably know that text messages can be sent not only from a phone but also from websites. If you use the latter way of sending your messages, you pay nothing, rendering this method extremely popular with users.

Because of an incorrect configuration of the robots.txt file and analytics tools on the website of the Russian telecommunications operator MegaFon, the search engine Yandex began indexing the text messages sent by the users from the website, and their SMS histories were made available for the query* |*.

The problem was resolved pretty fast, however , a flood of private messages became publicly available, hence the scandal, and, correct me if I’m wrong, a string of lawsuits. The users of popular resources started distributing the contents of the messages discussing the most entertaining texts.

Interview widget: Do you use websites to send text messages?

Besides major telecom operators, there are various third-party websites that provide this kind of services. You can find them by entering the query “send SMS” in your search engine. By using similar websites, you provide all your data to such websites, to be specific, your phone number and the contents of your text message per se. And unlike telecom operators, these websites don’t really care about the privacy of this data. Collecting your data, they, as a rule, either sell it off or use it for advertising purposes.

Similar websites are often get hacked by intruders to access the users’ data that is stored unencrypted in the overwhelming majority of cases.

Be aware of the expiry period of SMS messages. Unlike calls data whose records weigh quite a lot, SMS are simple texts and the archive numbering almost 300,000 text messages we have mentioned at the beginning of the chapter was only 8 MB. This allows websites to store all your SMS for years. Therefore, I strongly recommend you stop using SMS for sending any information that may be of importance to you.


Don’t use SMS for sending any information that may be of importance to you.

The text messages you send from your phone can be read not only by your telecom operator and law enforcement. To intercept SMS, thieves can resort to the same tools used for hijacking calls – fake base stations and SS7 exploits. You will find out more about this in the chapter focusing on calls and SMS interception.

Be also aware that the SMS you send are stored not only by telecom operators, but also on your phone, and the phone of the person who receives your texts, and they can be leaked if any of the devices becomes hacked. In the next chapter, you will find out how to use one-time-use notes that self-destruct after being read and aren’t susceptible to man-in-the-middle attacks.

Tired of reading? Watch video!

CyberYozh YouTube cha