The biggest issue with RCS prior to Google's benevolent rollout was the sheer volume of implementations. Every carrier had its own spin on the standard with proprietary seasoning on top, and few of the systems talked to one another. Beyond the practical limitations imposed on customers' cross-carrier communications, it turns out these customized versions are also exposing users to security vulnerabilities, based on details dug up by a cybersecurity firm in a recent report by Motherboard.
Full details will be revealed at the Black Hat Europe conference later this week, but the short version is that, while nothing is wrong with the base RCS standard, it is partly undefined, leaving certain details up to the carriers. It's those parts that are prone to security issues. While carrier-specific vulnerabilities weren't labeled, security problems discovered by the researchers included too-short security keys for RCS message download paired with an unlimited number of tries to guess that key, and IP-defined RCS configuration files accessible to any app on a device, regardless of permissions. "Everybody seems to get it wrong right now, but in different ways," said Karsten Nohl, a representative from SRLabs, which discovered the issues.
Specific carriers were neither named or shamed for their insecure implementations, and none of the four big American carriers provided any statements to Motherboard. When pressed for questions, the GSM Association, which defines the RCS standards, said it's aware of the research made by SRLabs, but that the specific vulnerabilities were "previously known" and not new. The spokesperson also added:
We are grateful to the researchers for allowing the industry the opportunity to consider their findings. The GSMA welcomes any research that enhances the security and user confidence of mobile services and encourages all researchers to submit their work to our Coordinated Vulnerability Disclosure (CVD) Programme which enables them to share findings and to contribute to industry’s ongoing work to drive security improvements.
While they may not be "new," issues like these are going to be unavoidable so long as details behind RCS implementations are left to the carriers. The only real solution, short of trusting the carriers to fix things (and stop making these sorts of basic mistakes), is to expand the RCS standards themselves to leave as little as possible up to carrier interpretation or judgment. It's also possible the upcoming cross-carrier RCS joint venture might mean more eyes reviewing these sorts of details, though who knows if they'll catch issues like this even then.
Although none of the US carriers provided Motherboard with a statement, we've also reached out to representatives at the four companies for comment, and we'll update if any additional details are provided. The researchers didn't mention if Google's RCS implementation via Messages/Jibe may also be affected by any of the newly-publicized vulnerabilities, but we've reached out to Google to see, and we'll update with any information we get.