Researchers discovered a flaw that allowed attackers to impersonate trusted contacts in text message conversations on both Android and iPhone devices.
The vulnerability affected all major U.S. wireless carriers, including Verizon, T-Mobile and Google Fi, as well as messaging apps on Apple and Google smartphones.
Carriers and smartphone makers have now patched the flaw after working with researchers at the University of California San Diego.
A security flaw that allowed attackers to impersonate trusted contacts in text message conversations has been patched after researchers at the University of California, San Diego, uncovered the vulnerability and worked with carriers and smartphone makers to fix it.
The flaw affected both Android and iPhone devices and could be exploited across major wireless carriers, including Verizon, T-Mobile and Google Fi, as well as smaller operators such as Mint Mobile.
Researchers said the vulnerability stemmed from a little-known feature that allows emails to be delivered as text messages. While the capability was introduced by carriers more than two decades ago to help popularize texting, the translation between email and text message formats created opportunities for attackers to disguise their identities.
Design problem
"Email and text messaging weren't designed to work together," said Stefan Savage, a professor of computer science and engineering at UC San Diego and one of the study's senior authors. "It's a little bit like reading postcards to someone over the phone and needing to figure out where the sender and recipient information and the message itself are."
According to the researchers, attackers could exploit inconsistencies in the way email information is converted into text messages. By using special characters and formatting tricks, bad actors could make messages appear to come from someone already stored in a victim's contact list.
In some cases, the researchers were able to inject fraudulent messages directly into existing text conversations with known contacts, increasing the likelihood that recipients would trust the messages.
The attack did have limits. While attackers could send convincing messages that appeared to come from trusted contacts, they could not intercept or view replies sent by victims.
"There are no standards for converting emails to texts and that opens the door to all sorts of vulnerabilities," said Sumanth Rao, a UC San Diego doctoral student and the paper's lead author.
Carriers’ response
The researchers disclosed the vulnerability to carriers and technology companies, which subsequently implemented fixes. Verizon, T-Mobile and Google modified the way email address information is translated into text messages to prevent the impersonation technique.
Google also patched the vulnerability in Google Messages, while Apple addressed the issue in its Messages app for iPhones.
Verizon is taking an additional step by eliminating the ability for customers to send text messages via email, a process the company expects to complete by March 2027.
The findings raise broader questions about the security of traditional text messaging, which many consumers continue to use for personal and business communications.
Dangerous miscalculation
"The whole ecosystem of cellular communication is built on the assumption that the system that transports text messages from phone to phone, or email to phone, is reliable and robust," the researchers wrote. "That is not the case."
Savage said consumers often assume that a text message's displayed sender accurately reflects who sent it.
"People don't realize that there's no guarantee that text messages have integrity," he said. "You can't count on authenticity."
The researchers presented their findings at the IEEE Symposium on Security and Privacy in San Francisco.