Texting is essential to getting things done, whether for personal conversations, business communications, or even receiving critical information like two-factor authentication codes to complete banking transactions. Since we rely so heavily on text messages, it raises the question of whether they can be hacked. I explore the realities of text message hacking and what you can do to safeguard your messages.
It's important to note that this guidance is targeted to U.S.-based text message users. In countries where older 2G or 3G networks are still in use, where the government has direct control over cell phone carriers, or where citizens have less legal protection for civil or human rights, all bets are off when it comes to the privacy of your text messages.
The reality of text message hacking
Text message hacking, also known as SMS interception, is a real concern (Dekra has a great primer on SMS security). However, it’s essential to understand that while it exists, it’s not as prevalent as other forms of cyberattacks. Text message hacking typically involves one of the following methods:
Intercepting messages through cell network systems
As you send a text, it travels through various networks, making it susceptible to interception at any point along the way. For instance, governments have been known to use Stingray devices that simulate cell phone towers and force cell phones to connect to it rather than a real cell tower, enabling the Stingray operator to monitor any texts that are passed through it. However, Stingray and similar devices won't work against modern 5G phones.
Another interception technique takes advances of the Signaling System No 7 (SS7) vulnerability found in 2G and 3G networks to intercept texts. In the U.S., the major carriers have shut down their 3G services.
In some cases, hackers gain access to text messages by convincing your cellular provider to swap your SIM card info to a different phone. SIM swapping effectively transfers your phone number and text messages to the hacker’s device. Access to your text messages means the hacker can receive two-factor authentication codes for your financial accounts, corporate logins, and other sensitive account information. SIM swapping has been frequently implicated in cryptocurrency thefts.
If someone has access to your device to install an app, they can install spyware capable of monitoring your text messages. Apps marketed as parental monitoring tools are available through Google Play and the Apple App Store. Any apps downloaded through these stores cannot be hidden on your device and can be spotted in your list of installed apps. There are other spyware apps available from third-party sources that are designed to be nearly undetectable on your device.
If you are a government official, political activist, or journalist, you could be a target of the NSO Group’s Pegasus spyware. Pegasus can be installed remotely and, once installed, there are no obvious signs that the phone has been hacked. However, Pegasus is very expensive and only licensed to government agencies, so it is very unlikely to be used to target the average person.
Spoofing sender information
SMS spoofing is a technique where hackers manipulate the sender’s information to make a text message appear to be from a legitimate source. If someone is spoofing your information to prey on others, you may think you’ve been hacked when you hear from someone who has received a spoofed text message. The good news is your actual text messages are still safe. And for most people, the hacker will move on to another number to spoof within a few days or weeks. In the meantime, you can notify your friends and family, and if the problem persists, you may have to change your number.
How to keep your text messages safe
While you can't prevent all of the potential attacks listed above, here are six practical steps you can take to enhance the security of your text messages.
1. Use encrypted messaging apps
While using your iPhone or Android phone’s Messages app is easier, you can’t count on your Messages app to encrypt your text messages end-to-end. iMessages are only encrypted between iPhone users, and Google RCS texts are only encrypted between Google Messages users. Since these messages rely on data, your message will be sent as a regular text message when data services aren’t available. So consider using end-to-end encrypted messaging apps like Signal, WhatsApp, or Telegram for sensitive conversations, ensuring that only you and the recipient can access the message content.
2. Regularly update your phone
Keeping your phone’s operating system and apps up to date is essential. These updates often include security patches that address vulnerabilities that hackers might exploit, and can prevent or undo iPhone jailbreaking.
3. Enable two-factor authentication (2FA)
Enable 2FA for your Apple ID and Google accounts and, whenever possible, for your mobile messaging apps. This adds an extra layer of security, requiring your password and another form of identification – a one-time code sent to your phone, biometric data, or an authenticator app code – to access your account.
4. Secure your mobile device
Protect your phone with a strong PIN, password, fingerprint, or facial recognition. This provides an additional barrier against unauthorized access to your text messages if your device is lost or stolen. If you are concerned someone close to you may try to use your biometric login without your consent (e.g., your fingerprint while you are sleeping), stick with PIN codes.
5. Monitor your accounts
Keep a vigilant eye on your cellular provider account and report any suspicious activity immediately. Unusual charges, SIM card swaps, or unauthorized access should be investigated promptly.
6. Be skeptical of unsolicited texts
If you receive unexpected texts from unknown sources, exercise caution. Don’t respond to messages that seem suspicious or request sensitive information.
Risks of backing up text messages to iCloud or Google
While backing up your text messages to cloud services like iCloud (for Apple devices) or Google Drive (for Android devices) offers convenience and a sense of security, there are associated risks to consider:
When you back up text messages to the cloud, you entrust your data to a third-party provider. While major providers like Apple and Google employ robust security measures, there is always a potential risk of unauthorized access to your cloud-stored messages – especially if someone has your username and password. Make sure your accounts are secured with strong, unique passwords and two-factor authentication.
Cloud services are not immune to data breaches. In the past, there have been instances of cloud providers experiencing breaches, leading to the exposure of user data, including text messages. I trust that Apple and Google's security and encryption methods are strong enough to make this a very low risk.
In some cases, law enforcement agencies may request access to your cloud-stored data, including text messages. While this is typically subject to legal processes and oversight, it is essential to be aware that such access is possible.
While text message hacking is a genuine concern, the risks for the average person are low if they remain vigilant. So, follow the preventative steps I outlined above to keep your text messages safe.
[Image credit: Text message hacking concept via BigStockPhoto]