By now most infosec professionals are aware of various ways SMS text messaging can be hijacked. For example so-called “SIM Swap” attacks, SS7 attacks, Port-out fraud, etc. All of these attacks however do require some level of sophistication, whether it be high level access to SS7, or account information or social engineering to successfully port out the phone number to a new provider or swap the sim on the existing account.
There is however other vulnerabilities that are not particularly well known. For VoIP numbers in particular, which may be assigned to a CLEC or VoIP wholesaler, the SMS may need to be routed to a different carrier than the carrier of record. This is accomplished in two different ways. One is an ALT SPID, which NPAC defines as “The four-digit identifier of a second service provider associated with a telephone number or thousand block. It identifies the wholesale service provider customer to which the PSTN service provider has assigned the number. The second service provider in turn may either assign the number to its retail customer or to another service provider for its use.” ALT SPIDs are vulnerable and susceptible to change and can be used to hijack SMS, but it too does require carrier-level access to make changes directly to NPAC. In particular, and importantly, it requires the current provider’s co-operation for the new carrier’s ALT SPID to be added in NPAC.
Which brings us to an alternative SMS routing provider, NetNumber. NetNumber has a product called NetNumber ID (NNID), it’s a 6 digit number similar to an ALT SPID that identifies the carrier to route to for SMS. Net Number explains it in this 2019 Q&A:
We quickly found that every industry database, in every country around the world, has its own model for identifying a communications service provider. The Local Exchange Routing Guide (LERG) database uses a 4-digit Operating Company Number (OCN), the Number Portability Administration Center (NPAC) portability database uses 10-digit Local Routing Number (LRN), most Home Location Registers (HLRs) utilize a 5 or 6-digit Home Network Identity (HNI), etc.
In order to make these databases useful for global routing, the NetNumber team created a globally unique naming convention called NetNumber ID (NNID) that is now widely used by fixed-line, mobile, cable/ Multiple System Operator (MSO) and Over the Top (OTT) service providers to route calls and messages on a global basis. The NetNumber data service team maintains and…