RCS Messages, Another Avenue for Cyber-attacks

The new RCS (Rich Communication Service) messaging system is a major evolution from the old SMS or MMS.

One of the advantages of RCS messages is that they allow you to send high-resolution photos and videos, as well as to personalise certain functions, such as automatic replies, for example.

In this way, it is presented as a communication alternative to OTT instant messaging apps such as WhatsApp or Telegram, among others.

It should also be noted that this service is not owned by any telephone company and works with different operators, both with devices with Android 18 or higher or with iOS, although iPhones need to have the latest iOS 18 update installed and a text messaging plan from an operator.

The system also allows verification of the identity of senders, as with messaging apps, which is essential to protect users against phishing attempts and unwanted spam. In this way, it offers a higher level of trust than traditional SMS, which have become a powerful weapon for cybercriminals.

Panda Security also explains that the RCS system has been designed with end-to-end encryption as used in the most advanced communication tools.

All this makes this system a very interesting communication option for companies. Not surprisingly, Juniper Research predicts that RCS business messaging traffic will increase by 50% by 2025, multiplying sixfold in the next five years, as we have already mentioned.

Potential vulnerabilities of RCS messaging

Despite the benefits, there are also vulnerabilities. ‘Despite its obvious improvements, the technology is not without vulnerabilities, as the transition to an internet-based messaging system also exposes it to potential cyber threats. In fact, the key is that it can include end-to-end encryption, but its activation will depend on each operator,’ says the cybersecurity company.

Thus, the interoperability of the system may pose a problem. ‘If the contact you are writing to is not using this protocol, the message will be sent as a normal SMS, so the encryption will not be active,’ it warns. Similarly, he stresses that ‘communication between iPhone and Android users via RCS is not recommended, as it is not yet encrypted’.

He also stresses that we should bear in mind that the advantages of RCS communications can be exploited to organise phishing attacks, sending messages that impersonate companies or public bodies.

‘As we see from Panda Security, advanced features such as the ability to send high quality images and interactive content can be used by cybercriminals to design even more convincing fake messages that trick users into revealing sensitive information,’ he specifies.

On the other hand, although encryption provides a fairly robust defence, Panda Security points out that ‘not all messages can be encrypted, because it depends on the configuration of each user and the capabilities of the network’.

‘For this reason, we believe that there is a space from which they can be intercepted on less secure networks. It is advisable not to connect to public WiFi networks and to avoid revealing sensitive information that could affect your bank accounts,’ explains Hervé Lambert, Global Consumer Operations Manager at Panda Security.

In fact, the company says the FBI has detected that groups of attackers have exploited a vulnerability in the RCS protocol, taking advantage of the lack of a default end-to-end encryption system.

‘This cyberespionage campaign has targeted iOS and Android devices. US authorities have claimed that behind it all is the Chinese cybercriminal group Salt Typhoon, who compromised telecommunications networks in the US in October,’ Panda Security points out.

‘The authorities have considered it to have a security breach when it is used between devices with different operating systems,’ adds the cybersecurity company.

In a related vein, it notes that the GSMA, the world’s leading operator organisation, ‘has assured that RCS will soon include the first end-to-end encryption of standardised cross-platform messaging’.