5G Messaging: System Insecurity and Defenses

5G introduces Rich Communication Services (RCS) as the official messaging service. It replaces SMS with rich multimedia content over the chat session. RCS intends to provide “any network, any device” messaging services for a given user across various network (4G/5G or Wi-Fi) and devices (SIM-based phones or SIM-free tablets/gadgets). This work provides the first in-depth study of RCS system security. We find that although RCS is one of the mobile carrier services, it performs a weak cellular ID binding, which opens a door for attackers to hijack the victim's RCS service. Even with end-to-end encryption in place, impersonation and eavesdropping over chat messages are still feasible. The attacks could be persistent and stealthy. With abused RCS service, victims are vulnerable to various attacks of fraud, location tracking, unauthorized operations on business accounts, and spamming. We have empirically validated such attacks in 4 major US mobile carriers by following ethical requirements. We further propose and implement both long-term solutions and immediate remedies.