More issues with spoofed texts and COVID-19: Ireland edition

Six months after the UK government sent out a mass text from "UK_Gov" to millions of people, resulting in countless phishing attempts and scams, another SMS player enters the game: "gov ie"


Back in March I wrote a blog post explaining various security issues surrounding the UK government's use of nationwide SMS alerts for COVID-19, essentially concluding that using this channel of communication for global alerts/notifications is a very bad idea.


Many other countries have superior emergency alert systems in place (e.g. Cell Broadcast) and the UK simply doesn't. We have nothing decent. This is due to years of various departments ignoring and at times completely rejecting much-needed infrastructure upgrades.


In June, I updated my blog post to cover identical issues that arose regarding fake NHS contact tracing scams, which were being used to target vulnerable individuals.


The tl;dr is that basic spoofing was the issue at hand, and the quickest partial solution involved large SMS gateway providers independently blocking names such as "UK_Gov" and "NHS" from being used as custom senders on their platform.


Obviously this doesn't neutralise the overall spoofing issue - short of nuking the entire protocol from orbit, nothing can fully work - but it does stop your average scammer who wouldn't have the technical chops to find another method. It reduces the number of malicious texts significantly, making the best of a poor situation.


I ended my post with the criticism that, if SMS was truly considered our best and only option at the time, why did nobody in government simply approach these SMS gateway providers beforehand and say "hey, we're going to be asking the big mobile carriers to send every single citizen a text from UK_Gov next week, can you block that from being used as a sender name please".


Thankfully since then the UK has moved on to using the more agreeable NHS COVID-19 app, plus a reasonably secure WhatsApp bot for pandemic information. The government doesn't seem to be sending any more insecure text messages. This is good.


But as we all know, you can't stop the signal. So as we move into October and the grim prospect of a second lockdown draws closer, I direct your gaze toward part 2 of Impersonating The Government:


Impersonating The Irish Government


I was chatting with my talented friend and colleague Darren Martyn one afternoon and he was describing the COVID-19 situation when flying into Ireland: anyone arriving must give their details for contact tracing and then show immigration staff an email confirming they've done so. Fairly standard and responsible stuff.


A text is then received from "gov ie" which says "If you have symptoms of COVID-19 while in Ireland, please contact a doctor or call 1850 24 1850. For public health advice visit www.hse.ie".


So what we have here is an automated SMS coming from a place of trusted authority that contains links for people to click and numbers for people to call. Presumably this text goes to every single person passing through Irish immigration and submitting their personal details.


Now, when Darren said to me "hang on, can you try sending me a cheeky spoofed text from this sender?" my immediate thought was that there's no way this will work using basic SMS tricks. Surely the "gov ie" sender name must be banned/blocked by the top API/gateway providers.


Somebody must have tried to reign in this basic scammer nonsense after seeing what happened with the UK_Gov COVID-19 texts months ago.


Nope.



Just like the UK_Gov test back in March, we instantly have a fake message planted right in the same thread as the real "gov ie" sender. It's safe to say that a victim would very much believe anything contained within these particular fake messages if they were crafted convincingly. After all, what's not to believe? They appear to come straight from the same trusted government source.


The Copy And Pasted Solution From Part 1


The immediate solution offered in my original post was don't use SMS at all. Trust and reliability must be established when sending these important COVID-19 communications from a position of authority, and SMS is inherently untrustworthy and trivially exploitable even by non-technical individuals.


Implement a Cell Broadcast system instead like many other countries already have. It's faster, cheaper, and reaches 99% of phones in a secure and reliable fashion. While not invincible (nothing truly is over a large enough period of time), script kiddies can't abuse it with 30 seconds of effort.


If SMS must be used due to no other available options, governments should liaise with known SMS API providers and local mobile carriers beforehand to make them aware of which names/numbers they'll be sending important texts from. The bulk of low level scams can be wiped out if these companies take steps to block/ban inputs like "UK_Gov" and "gov ie" from being used as a sender.


There are still ways around these blocks, they're just more difficult to execute en masse without going through a solid gateway provider, and the average petty scammer will probably struggle to make anything work reliably using their own custom infrastructure.


My advice for concerned citizens: don't instinctively trust anything that comes through as a text, even if it appears to originate from a government source. Triple check the links and phone numbers before clicking or calling anything. When in doubt, show someone else the text so they can also try to verify its authenticity.


As it stands, the UK government COVID-19 WhatsApp bot and the NHS COVID-19 app are two decent sources of information for the UK, as is the COVID TRACKER app for Ireland. Things have improved since the start of the pandemic in terms of secure communications, but ultimately we should seek to eradicate these dodgy bulk SMS messages.