Phone numbers are not secure, as Jack Dorsey has found out the hard way. Assailants were able to gain access to his phone number and then used that access remotely to take control of his Twitter account.
First Published 4th September 2019
Jack lets everyone know "what's happening."
4 min read | Reflare Research Team
Over the weekend, Jack Dorsey - the CEO of Twitter - saw his account tweet out highly offensive messages. These messages were not sent by Mr. Dorsey but by attackers who had temporarily gained access to the account. In this briefing, we will take a look at how the attack happened, the insecurity of phone numbers, and the limits of end-user cyber security.
How did the hack happen?
While most users interact with Twitter through its mobile apps or website, the service also allows users to send tweets via SMS. This is a leftover feature of the early days of the service when many users did not yet have smartphones. The attackers tricked a mobile carrier into re-assigning Mr. Dorsey’s phone number to a phone they controlled.
Phone carriers have such powers since they are the sole authority on who owns what number. It is also quite common to move a number to a new device - for example when switching carriers, moving houses or shifting a phone system to virtual infrastructure. Unfortunately, this procedure is ultimately controlled by customer support agents.
If an attacker can fool, bribe or threaten them into re-assigning the phone number, then they gain control. Just such an attack seems to have happened in this case. With control over Mr. Dorsey’s phone number, the attackers proceeded to use Twitter's phone API to tweet the offensive messages.
The lingering issue of phone security
Tying cyber security to phone numbers is nothing new. One could rather say, it is outdated. From the early days of mass phone usage, some services - such as banks, offices or government agencies - have used phone numbers to partially or fully authenticate users.
However, the phone system has absolutely no safeguards in place that would make it suitable for such trust. While phones were connected to landlines, attacks were limited to abuses of control tones such as Phreaking. With the proliferation of the internet, mobile phones and generally virtual phone infrastructure, much more insidious attacks - like the one described here - become possible. To put it succinctly, when we rely on phone numbers for security, we are attempting to secure 2019 technology with 1897 systems. This is - quite obviously - a bad idea.