Flash Messages

Even on the most normal of days SMS messaging is an insecure form of communication, which is why the team here at We Assume Breach advocates for the use of Signal for daily communication. This post is not about why we think it is vital to use encrypted communication, that will surely come at a later date, this is instead about a recent revelation we had about an outdated form of SMS messaging. Called flash, or class 0, messages.

If like us, our fellow cyber nerds, you were not familiar with this type of message let us share our terror. Flash messages are a relic of the early SMS days, in fact, we have not figured out how to send one with a modern smart phone. This type of SMS message is unique because it ignores the consent of the recipient to receive the message, it completely takes over your phone screen, making it impossible to ignore. Vexingly, the message is also not saved within your phone, so as soon as you click out of it the message disappears forever. This is the message (pictured left) sent to one of our team members alerted us to what we fear is an emerging trend.

So it’s an intrusive mobile pop-up ad, why should you care? We believe this could be a frightening escalation of tactics for professional Smishing (social engineers who try to dupe people using SMS messages, an amalgam of the words SMS and phishing). The message to your left is the second, and more convincing, of the two that we received. The first had a delightfully helpful typo that let us know that our “ObomaCare approval needs to be confirmed.” That missing “a” gave away the game that this was a smishing attempt, since we knew this was a scam we didn’t interact with the message. Clearly the smishers realized their mistake and fixed the typo, creating a much more convincing message, especially since this was sent during healthcare open enrollment.

What troubles us the most is if the first message you receive is not filled with obvious typos, then the urgency that flash messages convey can bypass the skeptical part of your brain. For a single moment our team member thought this was an urgent message from the government, with the goal of getting as many Americans enrolled in healthcare as possible. Imagine if you got a flash message for the first time that said “There is a Chemical Spill in your area, click here to see how you are affected” or “There is a Wild Fire near your city, click here for the safest evacuation routes.” We can't claim confidently that even our team of cybersecurity professionals wouldn’t be hoodwinked by this sophisticated a scam.

So what can you do to protect yourself? Honestly not much. Other than becoming informed of this new technique, you cannot do much as an individual to block this type of message. Apparently they can be sent from an older phone by inputing “0001” in the message field to indicate that this is a class 0 message. There is also a company called SMS Country that will send mass “promotional” flash messages for a fee. You may be able to block flash messages by contacting your phone carrier either over the phone or through their app, but this is no guarantee. It is our hope that eventually Apple or Android will realize the dangers these messages pose and will allow us to disable it within the settings. But we won’t hold our breath, as always Stay Paranoid.