A major security vulnerability that allows attackers to easily fake their identity in smartphone text conversations has been fixed in the United States thanks to a team of computer scientists at the University of California San Diego. The vulnerability affected both Android and Apple smartphones as well as all major wireless carriers, including Verizon, T-Mobile and Google Fi, and smaller independent operators such as Mint Mobile.
Once they discovered the vulnerability, which stems from the ability to send text messages via email, the research team worked closely with smartphone companies and cellular carriers to develop mitigation strategies and fix the issue.
The researchers presented their work at the 47th IEEE Symposium on Security and Privacy from May 18 to 21 in San Francisco.
Most major cellular carriers introduced the option to send text messages via email in the early 2000s as a way to help popularize the new medium. But email messages and text messages have different internal formats and conventions, so carriers have to automatically translate from one message “language” to another. Unfortunately, much can get lost in translation and attackers can exploit this ambiguity to impersonate senders.
“Email and text messaging weren’t designed to work together,” said Stefan Savage, a professor in the UC San Diego Department of Computer Science and Engineering and one of the paper’s senior authors. “It’s a little bit like reading postcards to someone over the phone and needing to figure out where the sender and recipient information and the message itself are.”
The vulnerability is aggravated when the email-turned-text reaches a smartphone device. Both Android and Apple smartphones usually check the sender’s identification against the phone’s contact list. Attackers can hack this process by using special characters to obscure the sender’s real identity and impersonate someone on that list. For example, messaging apps can interpret email addresses as phone numbers with the addition of just a few characters. Researchers were even able to insert fraudulent texts inside existing text conversations with known contacts. It’s worth noting that in this case attackers can’t see the replies to their fraudulent text.
“There are no standards for converting emails to texts and that opens the door to all sorts of vulnerabilities,” said Sumanth Rao, the paper’s first author and one of Savage’s computer science Ph.D. students at the UC San Diego Jacobs School of Engineering.
Based on the work from UC San Diego researchers, Verizon, T-Mobile and Google modified the way email address fields are translated into texts to eliminate the vulnerabilities discovered. In addition, Verizon is working to shut down users’ ability to send texts via email, a move that should be completed by the end of March 2027. Among smartphone vendors, the vulnerability in Google Messages also has been fixed, as has the vulnerability in Apple Messages on iPhones.
The whole ecosystem of cellular communication is built on the assumption that the system that transports text messages from phone to phone, or email to phone, is reliable and robust. That is not the case, the researchers said.
“People don’t realize that there’s no guarantee that text messages have integrity,” Savage said. “You can’t count on authenticity.”
The study received a Distinguished Paper Award at the 47th IEEE Symposium on Security and Privacy, where it was presented.
Funding for the study was provided in part by the Irwin Mark and Joan Jacobs Klein Chair in Information and Computer Science, the CSE Professorship in Internet Privacy and/or Internet Data Security, and the Paul Jacobs Chancellor’s Endowed Faculty Fellowship for Next Generation Wireless, and a Google Academic Research Award.
Lost in Translation: Text Message Spoofing via Email
Sumanth Rao, Ye Shu, Stefan Savage, Aaron Schulman and Geoffrey M. Voelker, Department of Computer Science and Engineering, University of California San Diego
Enze Alex Liu, Carnegie Mellon University
Experimental study
Not applicable