Security breach on PinePhone UBports SMS

[Athansor]

I don't know if this is occurring on the UBports end of things or the carrier end, but this is a somewhat concerning security bug.

I can send but do not receive SMS messages, I'm on dev channel, up to date as of today. I've filed a bug on that elsewhere. A couple of times a day I message my wife to see if she gets mine and to see if I get her reply. I never do. Today, I messaged her and she replied to the received message. I did not receive her reply, though her iPhone noted that the message had been received. She then got a message saying "Who is this?" to which she responded "It's your wife," and then a reply back saying "Huh?"

I did not receive any of her messages, nor did I receive any of the replies to those messages from whoever was sending them.

About 20 minutes after that, I DID receive a text message. It was an automated message from Venmo (or purporting to be so), with a 2-factor authorization code. That is the only text message I have received in several weeks. I have never had a venmo account.

My wife is using an iPhone, recent version, never has had any difficulties with SMS.

Can somebody explain to me what is going on, and how to fix it? I mean, like ASAP? I have no idea how much of my data is being compromised.

I am, to put it mildly, a little bit freaked.

[RTP]

I don't know if this is occurring on the UBports end of things or the carrier end, but this is a somewhat concerning security bug.

I can send but do not receive SMS messages, I'm on dev channel, up to date as of today. I've filed a bug on that elsewhere. A couple of times a day I message my wife to see if she gets mine and to see if I get her reply. I never do. Today, I messaged her and she replied to the received message. I did not receive her reply, though her iPhone noted that the message had been received. She then got a message saying "Who is this?" to which she responded "It's your wife," and then a reply back saying "Huh?"

I did not receive any of her messages, nor did I receive any of the replies to those messages from whoever was sending them.

About 20 minutes after that, I DID receive a text message. It was an automated message from Venmo (or purporting to be so), with a 2-factor authorization code. That is the only text message I have received in several weeks. I have never had a venmo account.

My wife is using an iPhone, recent version, never has had any difficulties with SMS.

Can somebody explain to me what is going on, and how to fix it? I mean, like ASAP? I have no idea how much of my data is being compromised.

I am, to put it mildly, a little bit freaked.

That is concerning.

Here is suggestion: disable 2g. may be unrelated but 2g imsi catchers (stingrays that can act as man in middle) are the most common/accessible to teenagers. Something everyone might want to do to prevent 2g imsi attacks.

The venmo 2fa sms reminds me of what I have read on sim jacking
Read more about it here: https://thehackernews.com/2019/09/simjac...cking.html

I'm not sure if it depends on mms or if it can be done via simple sms, but apparently it is used for surveillance/hackers, many times specifically targeting users for one reason or another. And as the article states just about *all phones* are vulnerable because it is the sim card itself that has the vulnerability- Not Pinephone (sim card has its own java browser!).

One thing sim jacker may do is try to access bank accounts/other financial services. sms 2fa becomes a problem when the jacker gets ahold of accounts using their cell phone sms as security (other forms of 2fa are suggested until sim cards are replaced).

I hope it is just some type of "crossing lines bug" w/carrier, but I would take a look at your bank account- if it is an attacker they may use various "lost my password send a txt" feature *if* it is some kind of attack.

You may want to temp take your cell phone number off bank account/other important phone number linked accounts for the time being if worried.

Thanks for making us aware. Btw did you see any other strange activity? Were there any strange links in the Venmo msg?

Edit: Hopefully it is just a carrier problem. I have seen people get fake texts trying to get them to click on malware links randomly in txts.

[daniel]

I don't know if this is occurring on the UBports end of things or the carrier end, but this is a somewhat concerning security bug.

I can send but do not receive SMS messages, I'm on dev channel, up to date as of today. I've filed a bug on that elsewhere. A couple of times a day I message my wife to see if she gets mine and to see if I get her reply. I never do. Today, I messaged her and she replied to the received message. I did not receive her reply, though her iPhone noted that the message had been received. She then got a message saying "Who is this?" to which she responded "It's your wife," and then a reply back saying "Huh?"

I did not receive any of her messages, nor did I receive any of the replies to those messages from whoever was sending them.

About 20 minutes after that, I DID receive a text message. It was an automated message from Venmo (or purporting to be so), with a 2-factor authorization code. That is the only text message I have received in several weeks. I have never had a venmo account.

My wife is using an iPhone, recent version, never has had any difficulties with SMS.

Can somebody explain to me what is going on, and how to fix it? I mean, like ASAP? I have no idea how much of my data is being compromised.

I am, to put it mildly, a little bit freaked.

This is concerning. I *hope* it is just a simple bug but important to be cautious.

it may just be  bug but here is suggestion: disable 2g. may be unrelated but 2g imsi catchers (stingrays that can act as man in middle) are the most common/accessible.  Something everyone might want to do to prevent 2g imsi attacks.

The venmo 2fa sms reminds me of what I have read on sim jacking

Everyone should at least be aware of this vulnerability in current sim cards allowing the hijacking of phone numbers/phones.
Read more about it here: https://thehackernews.com/2019/09/simjac...cking.html

I'm not sure if it depends on mms or if it can be done via simple sms, but apparently it is used for surveillance/contactors/hackers, many times specifically targeting users for one reason or another. And as the article states just about *all phones* are vulnerable because it is the sim card itself that has the vulnerability (sim card has its own java browser!).

I really hope this is just a bug and not related to a sim card vulnerability.

One thing sim jacker hackers tend to do is try to access bank accounts/other financial services. sms 2fa becomes a problem when the jacker gets ahold of accounts using their cell phone sms as security (other forms of 2fa are suggested until sim cards are replaced).

I hope it is just some type of "crossing lines bug" but I would take a look at your bank account- if it is an attacker they may use various "lost my password send a txt" feature *if* it is some kind of attack that has access to your txts.

You may want to temp take your cell phone number off bank account/other important phone number linked accounts for the time being if worried. Let's hope it's not a targeted attack on you personally.

Thanks for making us aware. Btw did you see any other strange activity? Were there any strange links sent to you/anyone you know?  There are rumors of T-Mobile being especially common for sim jackings (in case you have T-Mobile: some believe there are employee insiders assisting).

Hopefully it is just a software vulnerability (but the venmo 2fa code is strange).

Oh wow! Reading this, better I do not put my SIM in PP. We better buy a cheap prepaid sim for testing PP until can be used securely.

Thanks for the warning!

[RTP]

I don't know if this is occurring on the UBports end of things or the carrier end, but this is a somewhat concerning security bug.

I can send but do not receive SMS messages, I'm on dev channel, up to date as of today. I've filed a bug on that elsewhere. A couple of times a day I message my wife to see if she gets mine and to see if I get her reply. I never do. Today, I messaged her and she replied to the received message. I did not receive her reply, though her iPhone noted that the message had been received. She then got a message saying "Who is this?" to which she responded "It's your wife," and then a reply back saying "Huh?"

I did not receive any of her messages, nor did I receive any of the replies to those messages from whoever was sending them.

About 20 minutes after that, I DID receive a text message. It was an automated message from Venmo (or purporting to be so), with a 2-factor authorization code. That is the only text message I have received in several weeks. I have never had a venmo account.

My wife is using an iPhone, recent version, never has had any difficulties with SMS.

Can somebody explain to me what is going on, and how to fix it? I mean, like ASAP? I have no idea how much of my data is being compromised.

I am, to put it mildly, a little bit freaked.

Oh wow! Reading this, better I do not put my SIM in PP. We better buy a cheap prepaid sim for testing PP until can be used securely.

Thanks for the warning!

Why not? I use Pinephone as my daily driver with UT and I feel secure about it. Ubuntu Touch has been around for years and we haven't heard any stories like this til OP (sounds specific to his situation).

Listening to OP situation reminded me of some of existing sim card vulnerabilities (where most attacks target specific "important people"/crypto traders as result of IMEI/phone number and other personal information gathered).

Venmo 2fa part could have been one of those scam txts trying to get him to click a link.

If concerned make sure to run Ubuntu Touch Stable.

[Athansor]

UPDATE: This gets better and stranger.

about 1.5 hours with Cricket support (much of which was done on my PP, yay!). My account has been reset entirely via their web interface, so if someone has jacked the card, they cannot access the account easily. They also "reset" my SIM card (I have *no* idea what that means, if anything), and after whatever they did, I can now receive texts from them. I still cannot receive texts from individual phones, however.

I am less concerned, as I have sent no critical financial or other information through my PP. My cricket account was the only one through which the phone might have had access, and that's gone.

I still have no idea what the source of the issue is, and the possibility of being SIMjacked is concerning. As much fun as I've been having, I think I'm going to put my PP on the shelf for a few months and see where things stand in the fall or early winter.

[RTP]

UPDATE: This gets better and stranger.

about 1.5 hours with Cricket support (much of which was done on my PP, yay!). My account has been reset entirely via their web interface, so if someone has jacked the card, they cannot access the account easily. They also "reset" my SIM card (I have *no* idea what that means, if anything), and after whatever they did, I can now receive texts from them. I still cannot receive texts from individual phones, however.

I am less concerned, as I have sent no critical financial or other information through my PP. My cricket account was the only one through which the phone might have had access, and that's gone.

I still have no idea what the source of the issue is, and the possibility of being SIMjacked is concerning. As much fun as I've been having, I think I'm going to put my PP on the shelf for a few months and see where things stand in the fall or early winter.StWonder if same experience would be had if off developer channel? (dev channel warns it may mess with your experience and is untested). UT Stable seems the best option for weeding out possible carrier/sim problems.

I used to monitor cell towers and map locations after missing many texts on my Android (and to try to improve cell service by detecting/blocking imsi catcher/stingrays- a tower that moves is not a real tower). They are rampant in some parts of USA - mostly cities/protest areas. Mostly running lower g interception. Sometimes they do denial of service downgrade service attacks on all phones in area (each taking up to 10,000 phones at a time) to force them to connect to their man in the middle attack (by causing phones to believe they have better signal). Especially common in cities/protest areas.

This is why I mentioned turning 2g/3g off if possible to attempt to prevent interference.

My area had a lot of these devices hijacking phones indiscriminately, I believe this is what lead me to miss texts on my Android.

Personally I have my Pinephone set to 4G only (have had 0 issues, everything runs great- no delayed txts). Only the most advanced/most well funded adversary would have access to 4G imsi catcher to disrupt service. And no phone has protection from this- pinephone is no more vulnerable than Apple/Android.

It could be completely unrelated. I was just speculating. I really have no idea.

Maybe someone else will chime in.

[Engineer]

Is it possible to turn off 2g and 3g in Android? Some people might be interested in that.

[RTP]

Is it possible to turn off 2g and 3g in Android? Some people might be interested in that.

For those on Android go to dialpad:

type *#*#4636#*#*

Then a menu will come up.

Select Device Information--> then select the "Set Preferred Network Type" to LTE Only.

LTE is 4G.

[Dendrocalamus64]

The Venmo thing isn't necessarily related to you. People really hate SMS verification. There is an entire industry which has sprung up to help people get around it, with lists of public phone numbers you can use for account creation instead, phone numbers you can rent using cryptocurrency, even splitting phone numbers to get the cost down, so person 1 would be able to use that number for a Google account, person 2 for a facebook account, person 3 for a Venmo account, and so on, with the web interface or forwarding only making the messages available to the appropriate subscriber. It's quite possible someone was trying 50 public numbers with Venmo trying to find one that would work and entered the one that routes to your phone by accident because it was one digit off. Or that number may have been rotated through a public list some time before. They have to keep rotating the lists because many sites will only allow a number to be used once, or twig & blacklist it once it's being used too often.

All of the rest just sounds like your provider has your SMS routing set up wrong. Text messages sent to your number get routed to a different phone, and some unknown other number routes to yours. It doesn't necessarily have anything to do with the Pinephone.

[Athansor]

The end of the story: I pulled the SIM, turned off the phone, and sat on things for a couple of days, but I had been having so much fun playing with this thing, I couldn't resist. I put the SIM in, did a full reset on the phone, and lo and behold, I now can receive texts and they aren't being re-routed to somebody else.

I also have not received any phishing-type messages since I restored it.

I'm pretty sure that this was a carrier issue, and not a PP or UBports issue. The SIMjacking possibility is very interesting, and I'll make sure to get a new SIM before I put any sensitive data on the phone.

Thanks for all of the information and advice, I really appreciate it.