3

I came across this website today that implements SMS based authentication that works "opposite" most SMS authentication methods.

In typical SMS authentication, the provider sends you an access code that you use to log on to the site. The TextKey system works the other way around - when you log on to a site, it displays a special code that you type into an SMS message and send it to the provider to complete authentication.

The TextKey website claims that this is more secure and immune to phone cloning because the phone sends a UDID that is hardcoded into the phone along with the SMS message, and unless your phone has the correct UDID, the cellular provider will not accept the message. This makes cloning much harder because the attacker would have to change this hardcoded ID which is burned into the phone and immutable. )

Is this true? I've moved a SIM card among multiple phones and have had no problem sending and receiving SMS messages from the phone number associated with that SIM, despite never having registered a UDID (IMEI, whatever) with the carrier. Does a short-code provider get to see the phone's unique IMEI or MEID?

It seems that this system faces the same risk of interception due to cloning as any other SMS based authentication method -- if someone is able to clone a phone's SIM, then they can send and receive text messages as that user, bypassing the SMS portion of the authentication.

Johnny
  • 1,418
  • 13
  • 19

2 Answers2

3

I am the CEO of TextPower and wanted to address your question directly. Thanks for taking the time to put together a thoughtful query.

I think that you have to step back and look at the bigger picture here. TextPower's 2FA product TextKey works on the basis that you have to have physical possession of the phone, including the SIM card in it to authenticate properly. If you physically possess more than one phone, you can use any one of them, but only the one that is registered with TextPower can be used to authenticate using the TextKey 2FA. If you have a phone with a replaceable SIM card (standard GSM phones such as those found on AT&T or T-Mobile) you can move that SIM card around to multiple devices that have replaceable SIM cards. That is because you are in physical possession of the SIM card that carries the UDID that the phone uses to communicate with the network. Note that the phone number DOES NOT appear in the SIM card. Only the UDID identifies the physical phone. The UDID is a really long unique number and is what the carrier sees when a call or SMS goes through their system - they don't "see" the phone number.

So, could you clone a SIM from a phone and then use it? In theory, yes but in practice that is extremely difficult to do and highly impractical (and improbable) from a hacking standpoint. Why? Because to clone a SIM you would have to steal someone's phone, remove the SIM card and then have access to a burner that could make a SIM card. You'd have to have a supply of blank SIM cards. By the time you got that done, the owner would probably report the phone as stolen and their carrier would invalidate the UDID rendering your stolen SIM card as useless except for providing a marvelous way for the police to track and arrest you. (The number of criminals arrested in this manner is now relatively large.) The owner of the stolen phone/SIM Card could also stop you by simply un-registering their phone with TextPower.

Furthermore you might think that you could steal someone's SIM card, clone it and then replace it in the original device without the owner's knowledge. Unfortunately what happens in that case is that besides all the problems listed in the above paragraph, you will have created a couple of other problems. (Of course you first have to manage to steal the device, clone the SIM card AND replace it without the owner's knowledge - no easy task - but we'll let that go for now.) The additional problem which you've created in this situation is that if the original device that you managed to steal and return was powered up when you powered up your device with the stolen/cloned SIM card, it would fail network registration because of the duplicate UDID (yes, carriers watch this stuff - very closely). If your stolen device was powered up first then the real owner of the SIM card could not register their device. They would likely report this quickly to their carrier who would discover the duplicate UDID and then invalidate it.

Is TextKey absolutely un-hackable? We certainly wouldn't say that. Like any authentication scheme, there are theoretical ways to break it. In practice however, the ways to break it are way out of the range of anyone with less than huge resources and the willingness to use significant thievery and take considerable risk. That's why, while we don't promote TextKey as being "un-hackable" we do think that it is more secure than other 2FA methods, particularly those that use a mobile-terminated SMS where a code is sent to the phone, thus opening the authentication process to a MITM/MITB browser attack on the website in question.

I hope that this answers your question clearly. I am happy to address any more detailed questions or concerns you may have and do sincerely appreciate your interest.

scott721
  • 31
  • 1
0

Reading through their site it seems they have partnerships with phone carriers that identify SMS senders (so I assume you send a text instead of receiving theirs) based on an unique ID bound to their SIM (most likely the ICCID) to go around caller ID spoofing.

This is more secure than sending a normal text (where anyone spoofing the number would be authenticated) but is still insecure, as GSM flaws would allow anyone in close range to the handset to spoof it (and it would be invisible to the eyes of the carrier, so the UUID would be the same).

Not to mention carrier vulnerabilities, as this system is completely based on trusting the carrier not to lie. I've worked for one and seem what happens behind the scenes, it isn't pretty and I wouldn't be surprised if there was already malware installed on some critical machines that have administrative access to the network equipment. Corrupt employees could easily break this system as well.

Why go through all this trouble where we already have a rock-solid method available ? Besides the (in)security aspect of it, this has the disadvantage of requiring network connection and the users need to be subscribers of a partner carrier and connected to their network - wouldn't work for people living abroad or travelling.

André Borie
  • 12,736
  • 3
  • 40
  • 76