quote:

Originally posted by HRK:
The real issue is that they broke into peoples personal devices, it doesn't matter if you have national secrets or just text about the grandkids and what you need from the grocery...

Actually "they" did not do anything of the kind. What they did was break into the mobile provider's servers that handle these device-to-device communications. Messages/calls/etc. do not go directly from device to device via some kind of circuit. They use store and forward techniques adn are passed through multiple devices in transit, some owned by you, some owned by your provider, and some (e.g. Internet core routers) owned by unknown parties (and not the same ones every time, even during a single call).

quote:

Originally posted by sreding:

quote:

Originally posted by SigJacket:
... The biggest reason why this is important has nothing to do with Android-iPhone communications.

It’s MFA tokens. “Send a code to this number” after login.

the exposure is Apple to Android communication right?

Kind of, but not really.

It's only Apple<->Android because Apple uses iMessage and Android uses RCS.

More accurate to say it's any platform<->any platform that doesn't share the same encryption standard, thus necessitating decryption->plain text->re-encryption somewhere in the pipeline.

quote:

Originally posted by sreding:
MFA tokens aren't sent between devices ...

Anything sent through the compromised TelCom system via SMS is vulnerable.

But... capturing just a time-limited authentication token isn't necessarily a big deal.

If I'm logging in to a site that sends me a 2FA token via SMS, that token will only be good for that particular login session, which I've established via username/password authentication. Unless they're also executing a man-in-the-middle (MitM) attack against that login session, that token will be worthless to them.

quote:

Originally posted by ensigmatic:
[

quote:

Originally posted by sreding:
MFA tokens aren't sent between devices ...

Anything sent through the compromised TelCom system via SMS is vulnerable.

But... capturing just a time-limited authentication token isn't necessarily a big deal.

If I'm logging in to a site that sends me a 2FA token via SMS, that token will only be good for that particular login session, which I've established via username/password authentication. Unless they're also executing a man-in-the-middle (MitM) attack against that login session, that token will be worthless to them.

Agreed that there is a limited time value to that token, and random token discovery has little value other than perhaps finding what entity sent it. If it’s all interesting enough ( entity and receiver ) then I might be interested in targeting other things. I would expect really interesting organizations that the CCP are interested in aren’t using SMS shipped one time tokens.

I’d say most of us here are not necessarily that interesting. Well, I am, at least that’s what I tell myself.

Ensigmatic, welcome back! I was thinking of you the other day when I read an article about the MS Visual Studio Code development application having a few gaping security holes in it. Back to your article this little problem can be a big deal. I wrote an application for the organization I work for that sends out texts to needed parties that warns us of off hours processes completion, failure, or failure to run. We stopped that a couple of weeks ago. Now we need to log on to our VMs at work via a laptop and read the output logs. Arggghhhh As far as my personal texts, they don't exist. I don't read other people's (very few) and I never initiate a chain.

Thoughts on how these options (including google messaging) compare and contrast to using whatsapp?

quote:

Originally posted by ChuckFinley:
Thoughts on how these options (including google messaging) compare and contrast to using whatsapp?

WhatsApp is owned by Meta--the same people that own FaceBook. I don't trust anything Meta any further than I can throw them.

That being said: WhatsApp uses the same E2EE (end-to-end encryption) protocol Signal (Private Messenger) uses, so theoretically it should be every bit as secure as Signal.

But, again: Meta. Do not trust.

Other than that, there's this:


Apologies for the size. I tried down-sizing it, but the text became illegible.

Don't know anything about Google Messages. Hardly trust Alphabet (Google's owners) any more than I do Meta. (See, for example: YouTube is pulling my firearms content. YouTube is also owned by Alphabet.)

Very helpful, thank you.