hober
commented
4 years ago Duplicate of #10.
Closed StoneCypher closed 4 years ago
hober
commented
4 years ago Duplicate of #10.
StoneCypher
commented
4 years ago This issue offers significant extra context and evidence of well known real world abuse at large scale
That evidence was lost in this transaction, because this issue was linked to a different closed issue. I've gone to the actual active issue about this, and re-raised the evidence that this design strategy is frequently abused in the real world with total device takeover as the consequence.
StoneCypher
commented
4 years ago i've done my best ☹️
SMS is well known to be deeply insecure, and highly inappropriate for transferring temporary credentials. This has been one of the most frequent vectors of high touch real world attacks, including against Apple
The sophistication of actors, users, and even carriers will not help. By example, the OTA provisioning mis-feature in Android, that allows a phone carrier to silently remotely install software on my phone without my consent, was repeatedly abused by attackers in the real world to compromise hundreds of thousands of devices
Is it appropriate at this point to move forward with SMS as a network layer?