Mobile messaging has been making headlines all year round with the emergence of newer messaging over the top platforms like iMessage and WhatsApp that are more secure and offer far richer features not available on SMS. However, SMS messaging is getting its biggest shake-up ever with the arrival of a more productive and updated platform, the RCS. Surprisingly, a new report warns that SMS security vulnerabilities are not addressed that out places billions of users at severe risks.

For the uninitiated, Rich Communication Services or RCS is the answer of mobile networks to over the top (OTT) platforms that steals the traffic away from SMS text messaging. It is the answer, particularly for Android users, to the stickiness of iMessage from Apple’s hybrid platform. RCS could introduce the fastest adoption by a messaging technology with countless devices activated.

Apple's AirTag is expected to allow users to locate lost items using the Find My app. Adrianna Calvo/

The only drawback of RCS is that it does not have the end to end encryption, unlike popular OTT platforms. The system remains rooted in the GSM’s man in the middle architecture. Cybersecurity researchers at SRLabs in Germany report that the provisioning process for activating RCS functionality on a smartphone, in several networks, is poorly protected. Because of this, hackers can fully take over user accounts.

Android Messages, which is the most popular client of RCS, does not use sufficient certificate and domain validation. As a result, hackers can intercept and manipulate communication by way of a DNS spoofing attack, SRLabs reports. Caller impersonation or caller ID spoofing, which is a long-time challenge for SMS and resolved on better OTT platforms, is one of the risks of RCS, the cybersecurity form points out.

Additionally, data interception and location tracking, as well as security codes lifting to authorize fraudulent bank transactions or completely take over of email accounts, are also potential RCS risks. Moreover, codes that validate the RCS user can be brute-forced while running the risk that malicious apps can lift the RCS config file developing a new attack vector that can be exploited.

With the risks involved, it seems impractical and risky to deploy a new text messaging standard that inherits core vulnerabilities from the tech it is replacing.