What is SMS Encryption: Are Text Messages Secure?

The security of SMS wasn’t a topic of discussion for much of its existence. Being the ideal app for personal texting, nobody perceived it as a threat. It’s simple and convenient to use. It works.

But only when it became popular as a business tool did people start questioning whether SMS is actually safe. As hackers started using sophisticated methods to intercept texts, the matter of security became a hot topic.

One particular question that people raised is “Are SMS messages encrypted?” And if it’s not, what can you do about it?

What Is End-to-End Encryption?

In messaging, end-to-end encryption is a security protocol that ensures only the intended recipient and sender can see the texts. Each communicating user will have two cryptographic keys—a private key for confidentiality and a public key for sharing.

Messages are encrypted by the recipient’s public key and decrypted by the private key. This prevents third parties like service providers from getting access to the message content. It guarantees a high level of privacy and security in digital communications. 

Is SMS Encrypted?

Simply put, the Short Message Service (SMS) does not have any encryption, making it inherently insecure. While mobile carriers do protect text messages, it’s usually the very basic security of GSM or CDMA. This means it’s possible for the network or anyone to intercept SMS messages and read them.

Also, mobile carriers store SMS messages on their networks for a certain period of time. They also keep information like mobile numbers as well as dates and times of delivered and received messages. And of course, these records can be subject to subpoena. 

Will SMS Be End-to-End Encrypted in the Future?

So far, there are no plans to encrypt standard SMS text messages. Making this significant change is simply not practical considering the technical intricacies, even if mobile phone networks agree to do so.

SMS uses the framework of the SS7 (Signaling System 7) protocol, which is inherently prone to interception. It’s the reliance of SMS on the SS7 architecture that makes encryption a major challenge, especially considering SS7 existed before digital encryption. 

Encrypting SMS would essentially require a drastic overhaul of the entire infrastructure, which is pretty complex and resource-intensive to do. The wide range of devices and network providers involved in SMS also makes it hard to establish an encryption protocol. 

Top 3 Vulnerabilities of Unencrypted SMS

1. Carriers Can See the Messages

The fact that SMS messages don’t have encryption means that mobile providers can see the content you send and receive. The messages go through the carrier’s network in a readable format, potentially revealing confidential or sensitive information to network administrators or anyone who has access to the systems. This is normally not an issue since phone carriers often adhere to ethical standards, but there’s always the risk of bad actors in mobile networks.

2. Authorities Can Monitor the Messages

Without encryption, SMS messages are prone to monitoring by authorities, normally because of legal permissions or surveillance mandates. Law enforcement agencies, let’s say, can access and track mobile communications as part of an investigation. They often use “stingray” devices that mimic a cellular tower, tricking your mobile phone into connecting to them. The agency places the device close to your area and gains access to your messages.

While this is legal in certain cases, it does raise a question about the line between personal privacy rights and the authority’s surveillance capabilities. 

3. Hackers Can Intercept the Messages

SMS messages are relatively easy to intercept by hackers who take advantage of the weaknesses in the SS7 network. By intercepting the messages, hackers can gain unauthorized access to personal information. They only need a laptop that runs Linux and the SS7 development kit.

Once they connect to the SS7 network, cybercriminals can trick the system into believing that they are a subscriber and gain access to the phone number’s SMS message and voice data. The resulting attacks can include identity theft and financial fraud. 

Why Use SMS for Two-Factor Authentication If It’s Not Encrypted

The reason people use SMS for two-factor authentication is a matter of convenience rather than security. SMS is the most practical choice for delivering security codes because all mobile phones have a native texting app for sending texts and receiving them. All you need is a phone and you can receive a 2FA code by text. Alternatives like WhatsApp and Viber do have encryption, but not everybody uses them. 

That said, SMS isn’t the most secure option for 2FA, but it’s much safer than not doing 2FA. Plus, the likelihood of someone hacking your 2FA and getting access to your account is still very small. 

Is SMS Safer Than Email?

Email clients like Gmail and Outlook are not encrypted. There’s also the added issue that your computer is prone to hacking, putting not only your email folders at risk but also other files on your device. Malicious systems like spyware and malware are far more common on computers. And cyberattacks tend to be more successful on computers and laptops than on mobile phones.

With that in mind, SMS is relatively more secure than email. The enhanced security features aside, it’s mainly because mobile devices are less targeted. 

How to Encrypt SMS Messages

The best way to send an end-to-end encrypted message is to use an app that has encryption. Services like the iMessage and Google Messages app offer a more secure alternative to SMS. With encryption protocols in the background, you can send and receive messages knowing that only you and whoever’s on the other end of the conservation will see them. 

1. iMessage

If you have an iPhone and want to send and receive encrypted text messages, all you need to do is enable iMessage. It initiates an encrypted thread that only the sender and the recipient can read. The only catch here is that Apple's iMessage is only available to iPhone users.

This means that if you send a message from your iPhone to someone who uses an Android phone, that person will receive it as an ordinary SMS without encryption. 

2. Android Messages

Released in 2021, Android Messages encryption is the equivalent of iMessage which uses RCS technology. The encryption, however, doesn’t work when you send messages to an iPhone. And unless both sides switch on the encryption setting, the messages go out as a standard SMS text.

The idea is that one side encrypts the texts and the other side decrypts them with a different key. Encryption doesn’t work with group texts, either. 

3. RCS

For Android phones, another alternative to SMS that offers more security is RCS (Rich Communication Services). While RCS itself doesn’t use end-to-end encryption, you can communicate securely on the app through something called transport layer security (TLS).

However, Google is working on introducing encryption to RCS. The main challenge here is to make it compatible with iMessage to allow for encrypted secure messaging between iPhone and Android users. 

4. Third-Party Apps

Besides the standard alternatives, various third-party messaging apps will safeguard your conversations with end-to-end encryption. Plus, they don’t use the old Signaling System 7 protocol or store any texting data. And you can send encrypted messages to any smartphone—whether Android or iPhone—without having to worry about anyone intercepting your communications. The apps we’re talking about include Wire, Signal, and Threema. 

To put things in perspective, these messaging apps are so secure that some members of Congress demanded to weaken the encryption or to create backdoors so authorities can get access. Hint: the encryption is still as strong as ever.

In fact, Signal’s SEO insisted that the company won’t go along with the request to dial down the encryption or open backdoors. It is the texting app of choice for many journalists and experts like Edward Snowden. 

Using a Business Messaging Platform for Secure Texting

Although SMS has no end-to-end encryption, you can still boost its security by using a reputable business messaging platform like Dexatel. This is because these platforms take serious security measures to safeguard their data, yours, and your customers’. By protecting sensitive text message data, secure communication platforms also allow you to stay compliant with data privacy laws.

Dexatel, for example, offers various security features including fraud guard and SMS firewall to prevent various cyberattacks like SMS pumping. With these features at your disposal, you can ensure the security of your business texting efforts.