British people will soon begin receiving random phone calls from so-called "contact tracers" warning them about having been in close proximity with potential coronavirus carriers. One of many problems with this scheme is it's dangerously easy to pose as a government contact tracer.
As detailed by the NHS, contact tracers will phone up and text people who report coronavirus symptoms to the government and demand lots of personally identifiable information – including information on other people.
What safeguards are in place? Er, not many. They'll call from a published phone number – 0300 013 5000 – and, bizarrely given the context, UK.gov promises its hired call centre won't "disclose any of your personal or medical information to your contacts".
Such a scheme bears all the hallmarks of cold-calling scammers, and indeed has already been used for that exact purpose. More to the point: publishing a phone number really doesn't guarantee that the caller is who they claim to be.
SMS and caller line identification (CLI) information is straightforward to spoof if you know how, and with UK.gov publishing the number its callers will be using, there's now an increased level of risk; for the non-technically-adept, a call coming from a published government number is more likely to be taken at face value.
'It's mostly just embarrassing' how easy it is
El Reg asked Jake Davis, one-time Lulzsec hacker turned security researcher, about SMS spoofing and the ease with which malicious people could impersonate UK.gov. He pointed us to a blog post he wrote back in March when the British government sent the entire nation a text message saying "Stay at home."
Addressing how straightforward it is, without explicitly linking to tools or guides on how it's done, Davis wrote: "In fact I'd say this is a schoolyard prank level of exploit, available to anyone and without requiring any technical prowess whatsoever.
"Outside of large hypothetical threats it's mostly just embarrassing. It's embarrassing that any random person who searches for 'SMS spoofing' can essentially become the UK government with no immediate way for the victim to tell the difference."
An example of such a phishing text – including a link to a decidedly non-gov.uk-site (don't visit it!) – is below.
Be warned that text messages like this one are already in circulation as the track & trace service launches. They are not genuine and anyone going to that website link will be asked to submit personal information that will then be used by fraudsters. pic.twitter.com/P11vyuPVmr— Stuart Fuller (@theballisround) May 28, 2020
Back in 2015 The Register wrote about a VoIP-based CLI spoofing service which – inevitably – took payment in Bitcoin. It's still a problem to this day, and across the pond a group of US attorney-generals complained of 40 billion CLI-spoofed robocalls, automated phishing calls, being targeted at US citizens over the previous 12 months. While methods have evolved in Blighty since 2015, the problem continues to plague the UK.
In a statement, RSA Security's Ben Tuckwell agreed, adding some basic security advice: "Consumers can protect themselves by acting smart and pausing to consider each communication they receive, while remembering the three key smishing don'ts – don't respond to texts from unknown or unusual numbers; don't click on any links in text messages; and don't share any banking information, usernames or passwords or other personal details after receiving a text message, unless you can verify who you are speaking with." ®
Davis's blog also includes a post about acquiring free beer through a comically inept system of QR code-reliant vouchers. Again, don't try this at home.