'You've got the old cheeky Corona': Ireland's pandemic advice SMS service can be spoofed, warns researcher

2020-10-12 16:21

Ireland's efforts to keep residents informed about coronavirus has fallen foul of the same basic SMS vulnerability that one of their British neighbours experienced back in March.

Lulzsec-bod-turned-security-consultant Jake Davis reckoned the Irish government is using an SMS sender name that is vulnerable to spoofing - a process that is simple and straightforward, not that we're going to explain how it's done.

As he related it: "Now, when Darren said to me 'hang on, can you try sending me a cheeky spoofed text from this sender?' my immediate thought was that there's no way this will work using basic SMS tricks."

Calling for authorities in the UK to invest in mass-message cell broadcast technology, Davis also urged governments in general to "Liaise with known SMS API providers and local mobile carriers beforehand to make them aware of which names/numbers they'll be sending important texts from" and block those sender names and numbers from being used by others.

Standard anti-phishing advice is not to click links or dial numbers included in unsolicited messages, advice that still stands today despite the desperation of UK government and the NHS to broadcast public health messages using these very techniques.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/12/ireland_covid_advice_sms_spoofable/

#ireland #researcher