65

Both the sender and the receiver deleted the text after it was sent, but is it still possible that it exists somewhere and that someone can get to it?

Philipp
  • 48,867
  • 8
  • 127
  • 157
Rachel
  • 661
  • 1
  • 5
  • 4
  • 4
    You forgot to consider that recent smartphones show part of the message on the notification bar. If the user borrows the cellphone to someone to send an SMS/MMS/play a game/etc..., he might see it and your security is done. There may also be a virus on the cellphone that reads and sends a copy of the messages to another server. – Ismael Miguel Mar 12 '15 at 10:30
  • 35
    Be sure you don't confuse passwords with authentication codes such as the numbers Google sends by text message. An authentication code has a short lifetime, must be used with a separate password, and can be used only once. If you asked (separately) about authentication codes, you'd probably get slightly different answers from asking about passwords. – Bob Brown Mar 12 '15 at 11:16
  • 6
    How many apps do you have installed that can read your text messages? Can you guarantee that they don't cache any of them? – Reaces Mar 12 '15 at 11:51
  • 1
    Not to the government. However, there is TextSecure https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en. I've also created a KeePass database on a Google Drive to securely share passwords with my assistant. Of course the master password was sent insecurely :(. – Chloe Mar 12 '15 at 15:48
  • Messages can be trivially logged on carrier's servers. –  Mar 12 '15 at 20:48
  • 6
    Any website able to send your password in plain text to you, regardless of medium, should be avoided. Passwords should be hashed and salted. – James Mar 13 '15 at 16:00
  • It might be helpful to ask if it's insecure. :) – Rimian Mar 14 '15 at 06:55
  • "is it still possible that it exists somewhere and that someone can get to it?" It's not just possible, it's pretty much guaranteed. Everyone's heard about criminal cases where text message history is used as evidence against crooks. This is only possible because text messages ARE kept. – barbecue Mar 15 '15 at 17:04
  • I could only really see this being secure if the password that was texted was only valid for 60 seconds or something like that. – E.V.I.L. Mar 18 '15 at 19:58

5 Answers5

106

It is absolutely not secure. Text messages function essentially the same way email does: your client (phone) forwards it to a server, which then looks up a destination which may be on another network (carrier) and then sends it over where it is held in a mailbox until a phone gets it.

Anywhere along the way it can be copied, retained longer than expected, etc. Lawful interception, unlawful interception, cloned phones, Google+ accounts, etc are all ways a message can end up somewhere unexpected and all that assumes you trust the phone and software on it.

Clear text is compromised text. Always.

Tan
  • 103
  • 1
Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 4
    If the text message contains an authentication code and the supplier only allows it to be used once to perform some task, then anyone who intercepts the code would only be able to benefit from it if they did so before the authentic user. If the message given when someone tries to use a code that has recently used states when the code was used, then someone whose code was intercepted and used inappropriately would find out about it, and could thus seek to take appropriate action. – supercat Mar 12 '15 at 17:10
  • 3
    @supercat True, but ultimately that is still after-the-fact mitigation. You're dealing with a security compromise that could/should have been avoided by using more secure communications channels and/or implementing other, more robust security enhancements. – Iszi Mar 12 '15 at 17:20
  • 2
    @supercat Also, the question here appears to not particularly be about a "one time code" case. It seems to be regarding password sharing between individuals. – Iszi Mar 12 '15 at 17:20
  • 13
    clear text *is* always compromised text, but note that the usual reason you send security credentials of any kind through text message is to get it "out of band" with the data being sent: i.e. the data is going over the wifi but the credentials are going over cell. Neither are secure, but the effort needed to compromise both communication bands is, of course, more than just one. – Adam Smith Mar 12 '15 at 18:23
  • 2
    Did you mean "Absolutely? No", or "Absolutely not"? – Spooky Mar 12 '15 at 18:32
  • @Iszi: Different protocols are appropriate under different threat models. From what I understand SMS messages may travel over at least some links in the clear, meaning someone could collect a bunch of them and periodically look through for something interesting. That could be a big problem for information that an adversary could use days or weeks after-the-fact, but not so much for information which would only be useful to an adversary who was looking for it *when it was sent*. – supercat Mar 12 '15 at 21:02
  • What if the password is only valid for 60 seconds? – E.V.I.L. Mar 18 '15 at 19:57
19

Sending the password through sms/texting was, as far as I can tell, originally intended to be used to ensure the password came in through a different medium than the encrypted file you were receiving the password for.

An encrypted file would be sent through email and the user would receive a plain-text sms on his phone with a password. This would necessitate a thief to steal both your laptop (or email inbox access) as well as your phone (or access to your phone's sms inbox) in order to have both file and password.

Currently, smartphones are often set to act as mailboxes too, which means that, even if you send it as a text message, you'll still have both key and encrypted message on the same device. If the phone is subsequently stolen, and the email still resides in the inbox that is accessible from the device, it will simply mean the thief has to also check your text messages sent around the same time and probably from the same contact for passwords if he wants to open it.

So while sending plain-text passwords was never secure, it has worked well enough in the past for us. The fact that we are still perpetuating this habit now that many of our phones are mobile email inboxes as well, though, is.. kind of worse, I guess?

spoorlezer
  • 563
  • 5
  • 10
  • 5
    It doesn't protect from someone stealing (or compromising) your smartphone, but it protects from someone compromising the WiFi used for internet access but not the connection with the telecommunications operator. – Ángel Mar 12 '15 at 17:55
  • True. I felt that was already being addressed in the first answer, however, so didn't feel simply restating it would add much to my answer. – spoorlezer Mar 16 '15 at 08:47
11

'Secure' is not an absolute. It is a mistake to think in terms of things being secure or not secure. You need to evaluate the security in context - who are the users, what is the threat, what is the value of the thing being protected etc. What are all the controls in place? Is the text message the only bit of information required or is it just part of an authenticaiton/authorisation chain?

Other responses have highlighted that normal SMS messages are very similar to email in that you don't have knowledge or control over what servers the message passes through and therefore, knowledge about how trustworthy the companies, sys admins etc are. You cannot know level of government monitoring etc.

There are a number of recent news articles about failures in two step authentication which uses SMS messages to send an additional code which must be entered. Actually, this isn't strictly speaking two factor authentication, but rather two step authentication, but that is another story.

The common 'thread' in these hacks which have been able to defeat two step authentication has not be about the SMS message being intercepted or stolen in transit - it is actually much simpler and uses the easiest, low tech approach - social engineering. Basically, these systems have been bypassed simply by contacting the recipients cell provider and convincing them, through various social engineering techniques, that they are the legitimate owner and need to have their number forwarded to a new phone - usually some burner phone. Once that is done, the SMS message is simply redirected to the bad guys burner phone and it doesn't matter how secure or not the transport process is. This is why, if you are really concerned, you should opt for a solution which doesn't use SMS, preferring something like google authenticator running on your device. As usual, this is all a play off between convenience and level of threat. For many people, SMS may be sufficient, but for others who are more likely to be targeted, it is too high a risk and as mentioned by others, the purpose/type of the SMS message is also relevant - a full password which gives full access without any other information required is a much higher risk than a one time token with a limited lifetime/use which is only part of a chain of things which need to be used in order to get access.

Tim X
  • 3,242
  • 13
  • 13
11

Here's an interesting summary of GSM encryption of text messages: How hard is it to intercept SMS (two-factor authentication)?

From what I understand, text messages are encrypted as they go through the air. The SIM card provides information to encrypt the message and the cell provider has the information necessary to decrypt it. (It recently came to light that the NSA had hacked into the databases of the manufacturer of around 90% of all SIM cards in the world, a company in the Netherlands called Gemalto, and snagged the data needed to decrypt text messages for all the SIM cards that the manufacturer had produced).

The service provider then does whatever they need to do to get the text message to its intended destination, and I have no idea if that involves encryption or not. It's different than e-mail in that text messages go through the networks of one or more service providers to be delivered and it is encrypted at its most vulnerable points when it is going through the air where anyone could conceivably intercept it.

Text messages are also different from e-mail in that they don't travel through the open Internet like e-mail where anyone could watch it go by. The service providers and governmental organizations like the NSA could easily get it by having a presence in the service provider's network, but your average malicious actor would be unlikely to be able to get inside the service provider's network. As long as you trust the service providers (both yours and the provider at the destination), you aren't afraid of governmental organizations taking your password, and you are pretty sure nobody else will be reading the receiver's phone, then I think sending a password via text is not a problem. It's a much different delivery mechanism than e-mails.

With iMessage (the standard text app) on the iPhone and iPad, the messages are encrypted securely all the way from sender to receiver. Messages are encrypted using the receiver's public key and can only be decrypted using the receiver's private key, which only the receiver has. I will note that it is theoretically possible for iMessage to also encrypt with a special public key that Apple or the NSA has access to so that these messages could also be read by them, but only the holder of the private key would be able to decrypt it. Apple claims it is not doing anything like this, so as long as you trust Apple, nobody can read those messages. The iMessage encryption functionality is only used when both the sender and receiver are using Apple products.

There are also guaranteed secure messaging products like Threema, where emphasis is on encryption that nobody but the receiver can decrypt, but that's overkill for sending passwords in my opinion.

One of the above posters is correct in that security is a not a yes/no question. It's a spectrum from extremely insecure to very secure. Security for the truly paranoid is very difficult, so you just have to choose something that's good enough for you.

Hashim Aziz
  • 969
  • 8
  • 21
Kevin Peter
  • 211
  • 1
  • 4
1

No.

Above answers nailed it. There are ways to bluesnarf a cellphone if bluetooth is left on--leaving your phone compromised. There are also ways to recover deleted texts, photos, data on a cellphone using FTK or any decent digital forensics tool if someone has physical access to the phone.

dtb_pen
  • 102
  • 2