0

Why service providers didn't implement something like SSL to make SMS more secure and reliable in multiple scenarios ?

I did ask a question about why SMS is used as a way of verification while it is not encrypted in transit.

Mohamed Waleed
  • 1,179
  • 1
  • 5
  • 13
  • Welcome Mohamed, security was not a priority when SMS was made available for gsm devices. – elsadek Jul 06 '21 at 14:52
  • Thanks. yes I know that, but this is required now. couldn't GCM define a new protocol for secure SMS with (5G or 4G) or I am not understanding correctly ? – Mohamed Waleed Jul 06 '21 at 15:13
  • What if the receiving service provider doesn't know how to decrypt the message because it wasn't upgraded? – user253751 Jul 06 '21 at 15:32
  • @user253751 They should first agree on an encryption secret and algorithm, if they did agree both can decrypt the message. If they didn't agree the message will be sent in plaintext. The thing is like when the browser sends Accept-Encoding HTTP header to tell the server what compression algorithms it does support, then the server sends the response with the header Content-Encoding to tell the browser what compression algorithm it used to compress the response. – Mohamed Waleed Jul 06 '21 at 16:34

2 Answers2

3

It is for the very same reason that SMTP does not encrypt everything by default: they are rather old protocols that were invented in a time when strong crypto was not common. And they are normalized protocol for which interoperability is essential. In fact changing SMS to include encryption, would be close to propose a new and different protocol (Signal ?) and wait/hope that the new protocol replaces the old one.

After all, it took decades for HTTPS to replace HTTP...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84
  • could't they make something new beside SMS and call it for example Secure-SMS, so devices and providers that support the new protocol would use it, else that use the old SMS protocol ? – Mohamed Waleed Jul 06 '21 at 15:05
  • devices and providers also could agree on an encryption secret and algorithm, like what browsers do when they send the Accept-Encoding http header to tell the server what compression algorithms is supported by the browser – Mohamed Waleed Jul 06 '21 at 15:07
  • is this scenario reachable ? where service providers install a certificate on its SIM cards, so devices could verify and initialize a secure tunnel like what happens in SSL. I know this scenario requires currently used software to be modified, but I think it doesn't require new hardware – Mohamed Waleed Jul 06 '21 at 15:10
  • @MohamedWaleed What you propose requires designing and updating a whole infrastructure spread all around the world with more actors that you can imagine. This would incur a huge cost, with zero financial gain. It will not happen. – A. Hersean Jul 06 '21 at 15:17
  • @A.Hersean Thanks for commenting, can't they make a thing like this and implement it with 5G for example, so devices that support 5G will set up a SSL or TSL connection with the service providers towers ? – Mohamed Waleed Jul 06 '21 at 15:21
  • @MohamedWaleed In theory they could. But history shows that mobile operator do not care that much for the confidentiality of the communications. Unlike the web where a few big players (Google, Mozilla and the IETF) were in position to push their views, which for some reasons were aligned with more secure protocols. This was not painless, and it is far from being completed. I do not have such hopes for mobile communications. At least not soon. – A. Hersean Jul 06 '21 at 16:05
  • @A.Hersean Thanks for making it clear to me – Mohamed Waleed Jul 06 '21 at 16:27
2

The original SMS design was limited to a small number of characters because it made use of an otherwise unused portion of the channel between the phone and the tower. There wouldn't have been sufficient space to set up an SSL or TLS connection, and moreover, the earliest phones with text messaging were not designed to handle the modern, secure algorithms we use today in TLS.

Cryptography in mobile phone protocols has overwhelmingly been quite terrible for a long time, and it's only with the advent of smartphones that phones became capable enough to use strong algorithms. With the development of more efficient cryptographic algorithms, it's likely that even today's feature phones could use TLS, but for backwards compatibility reasons, they don't.

This same pattern can also be seen in other embedded devices that have long tail lifetimes, like EMV credit and debit cards and terminals. For backwards compatibility reasons, they continue to use relatively small RSA keys, SHA-1, and, in some case, Triple DES, despite better algorithms being available.

bk2204
  • 8,695
  • 20
  • 19
  • is it hard to identify which phones can set up a SSL or TLS connection ? I mean they keep SMS as it is and develop a new protocol and use it with the devices that it support. This is better than making the whole thing unsecure – Mohamed Waleed Jul 06 '21 at 15:17
  • @MohamedWaleed The new protocol is called Signal, or Telegram, or WhatsApp, or Facebook, or ... – user253751 Jul 06 '21 at 15:32
  • The protocol did use encryption. (It’s why you have a smartcard (Ea: SIM card) in your phone. SMS was originally intended for service messages, ea messages from a trusted source to a subscriber… and this is why it is not more encrypted…. – LvB Jul 06 '21 at 16:16
  • 1
    There is better support: [RCS](https://en.wikipedia.org/wiki/Rich_Communication_Services) is an upgrade to SMS and it's encrypted between the phone and the hub. It isn't always end-to-end encrypted, though. – bk2204 Jul 06 '21 at 18:57
  • @bk2204 thanks, i will search about it – Mohamed Waleed Jul 06 '21 at 20:15