Is it possible to compromise a mobile phone just by using the telephone number?

Such an assertion sounds conspirational and not founded in reality. However:

  • The SMS system has many known security issues. Network operators and state actors can locate mobile phones via a “silent SMS” or “stealth ping”. Network operators can associate a new SIM card with the number. SMS can easily be re-routed to a different recipient (without the intended recipient noticing). Since such attacks are possible at low cost, SMS is not a suitable mechanism for two-factor authentication or as a account recovery channel.
  • Unencrypted data transfers can be analyzed by anyone in a MITM position, such as network operators and state actors. In particular, SMS lacks encryption. However, all popular messaging apps use transit encryption.
  • Especially older phones have many known security vulnerabilities. For example, MMS handling is highly vulnerable under old Android versions due to the Stagefright bugs. This could be leveraged by an attacker to perform a no-click attack. As a high-profile example, Saudi Arabia allegedly hacked Jeff Bezos’ iPhone via a malicious video file sent over Whatsapp in 2018.
  • Some countries (including the UK) allow devices to be actively hacked for security purposes. However, this can only work if there are vulnerabilities such as the one discussed above. In some cases, installation of surveillance software might require physical access.

However, exfiltration of data from a device necessarily requires more than just knowledge of the number – it generally requires physical access to the device, or an exploit to install malware on the device that will then send data from the phone to the attackers. However, that necessarily requires an active network connection.

There are more theoretical approaches for exfiltrating data from a device, such as side-channel attacks that monitor electromagnetic radiation from the device. However, these generally require close physical proximity to the device to work in lab settings.

So what is that tweet about? Clarification comes in a follow-up tweet from the author:

To be clear: I’m talking about messaging not apps such as banking or a Word document on your phone. The Italian police told me they could listen to and read any message traffic in real time

– @krishgm, https://twitter.com/krishgm/status/1388082271815671808

This indicates they are talking about interception of SMS, which is trivial, especially if the mobile network operator cooperates – which they might be legally required to do. SMS have next to no security guarantees like Confidentiality, Integrity, or Authenticity. This is in stark contrast to all mainstream messaging apps that do use transport encryption, or even end-to-end encryption. For example, it is exceedingly unlikely that Italian police have cracked Signal encryption. For messaging services with transit encryption but without E2EE, the messaging provider (such as Facebook or Telegram) does have the plaintext messages and could be compelled to hand them over to the police.