Everyone's isolated at home and more people are vulnerable than ever to fake information. Now the UK government hands low-level scammers a perfect opportunity to exploit more victims.
Update, 2nd June 2020: There have been fresh concerns raised over similar methods being used for COVID-19 contact-tracing. Everything written below related to the nationwide quarantine alert text sadly applies to this new scheme as well. It's worth noting that even though texts from the NHS name have always been spoofable, we will probably now be seeing an enormous surge in malicious texts/calls.
Please take extra care when navigating communications that appear to come from official sources. In the case of a phone call, make them fully prove who they are before talking about anything sensitive.
Original post, March 25th 2020:
On March 24th, most people in the UK likely received a text from "UK_Gov" which advised everybody to stay at home and provided a link to the latest COVID-19 isolation rules. Specifically, the UK government asked the country's biggest mobile carriers to send the text.
The most logical question in response to that is "why doesn't the government have its own system in place?". The answer is mundane: they trialled various things years ago and have been arguing over it ever since, resulting in no actual progress, forcing them last week to approach telecoms giant for a quick solution.
Our closest allies have far superior systems in place, usually based around Cell Broadcast implementations. Most phones come with "Amber Alert" settings on by default, meaning notifications can be pushed directly to the phone in an emergency. The Netherlands first trialled this in 2010 and have been using it with success since 2012, including during COVID-19 recently, instantly reaching nearly the entire population through an acceptably secure and reliable platform.
I won't go into detail about the nuances of various emergency alert systems because this post is focused on the issues with basic SMS, but Cell Broadcast for example is faster, more effective, more secure, and doesn't operate within already congested communication networks.
That congestion is why everybody in the UK received the texts at different times throughout the day - they couldn't all be piped through at once because they didn't come through any sort of bespoke channel. Anecdotal data suggests that many people still haven't received any text.
On top of all that, the message itself is practically indistinguishable from any other random text, real or faked.
The Spoofing Problem
Moving out of the current situation briefly, sending texts is just a bad idea in general when it comes to security. Last year I made a half-joking half-serious tier list of secure communication methods. SMS sits right at the bottom.
The reason for this, outside of interception (which is doable at a civilian level), is that any text can appear to come from anyone. For example, if you have the mobile numbers of two friends, it's extremely simple to make them text each other, the fake messages then appearing in the same thread as the real messages.
This is because the receiving phone links the number to the contact - which makes sense. All a scammer/phisher has to do is spin up their chosen method of text spoofing (I'm not going to link anything here for obvious reasons), make the number of Friend 1 the sender and the number of Friend 2 the receiver. Friend 2 then receives a text appearing to come from Friend 1 that is essentially as legitimate as any other text they've received in the past.
There isn't a guaranteed solution for this problem as it's an inherent flaw in certain older protocols that are still universally in place. That said there are various techniques and blacklists and filters that prevent some forms of spoofing, but that's a different issue entirely and one that deserves a serious deep dive.
I'm not going to discuss that here as it's too detached from the main point, so let's get right into the meat of the situation...
Impersonating The Government
You might now be thinking that UK_Gov is not a number, it's a name, so how can that be faked? Well, it's barely an inconvenience. You just insert "UK_Gov" instead of some digits as the sender. Strings are strings.
Here's an example of a spoofed text I sent a friend to highlight the issue. The first text is the real UK government, the second one is mine. Same thread, no difference.
We've all heard of groups that steal iPhones from people on the street, then later one of their close contacts receives a text message from Apple claiming that the phone has been found, prompting the victim to insert their username and password via a malicious link.
Or you may have recently received a text from something like "COVID19" offering you free advice. These are mildly annoying opportunistic scams, on the same level as emails claiming you've inherited a fortune from a long lost relative who happens to be a prince.
The people behind these aren't exactly hackers, they're low-level scammers, meaning this method is child's play. In fact I'd say this is a schoolyard prank level of exploit, available to anyone and without requiring any technical prowess whatsoever.
And yet the UK government has been forced to enter this trivially exploitable realm of communication to send an alert message to the entire country during a global pandemic, all because it hasn't reached an agreement on an actual emergency alert system. Something many other countries have had in place for years.
We don't need to try hard to imagine what phishers/trolls/scammers could do with this opportunity. From fake government website links to fake medical advice to - and perhaps this one is a stretch but still technically doable - queuing up as many texts as possible and telling large portions of London that a vaccine is available at a specific location at a specific time.
These messages wouldn't come from some mysterious "COVID19" number never seen before, they would come straight from a legitimate government source that has previously delivered real information.
Indeed, a well-funded adversary could theoretically abuse the UK_Gov text to their advantage through millions of spoofed texts. That's probably not going to happen, but as someone that works around the field of security I tend to ponder on these potential scenarios, even if they're extremely unlikely.
But outside of large hypothetical threats it's mostly just embarrassing. It's embarrassing that any random person who searches for "SMS spoofing" can essentially become the UK government with no immediate way for the victim to tell the difference.
Luckily a number of SMS API providers have now blacklisted "UK_Gov" as a sender, which wipes out the bulk of the potential scams. Or if you'd prefer a more realistic conclusion, it means that only people trying a lot harder can now make it work, and those are the types with some finesse that usually don't go after random vulnerable people.
This is a good step, albeit an immediate reaction to an already flawed setup. Why didn't the team behind the UK_Gov text simply not approach these SMS gateway providers beforehand and apply a block on their name before sending a message to millions of people? Although now I'm just nitpicking and making assumptions. For all I know it could have been delivered internally as official advice, laughed at, and ignored.
Unfortunately, when it comes to secure design principles, failing to anticipate the threat and ignoring advice usually results in big problems, such as entering a nationwide lockdown with no real alert system in place.
The point is the UK government shouldn't be using this method to begin with. Let's move away from it. Let's learn from some of our allies and adopt their clearly better solutions.
I would urge the UK government to revisit their old trials and reviews of emergency alert infrastructure and work to get something better in place. Let's use this as an opportunity to turn a chain of poor decisions into a positive future scenario.