A major security flaw that allowed attackers to impersonate other people in text message conversations has finally been fixed across the United States, thanks to the work of computer scientists at the University of California San Diego.
The vulnerability affected both Android and iPhone users and involved nearly all major wireless carriers, including Verizon, T-Mobile, Google Fi, and several smaller providers.
After discovering the problem, researchers worked closely with mobile carriers and smartphone companies to develop solutions and close the security gap.
Their findings were presented at the 47th IEEE Symposium on Security and Privacy in San Francisco.
The vulnerability was linked to a feature that many people may not even know exists: the ability to send text messages through email.
Wireless carriers introduced email-to-text services in the early 2000s to make text messaging more popular and accessible. The system allows an email to be converted into a text message and delivered directly to a mobile phone.
However, email and text messaging were never designed to work together seamlessly. Because the two systems use different formats, carriers must translate information from an email into a text message. During this process, important details about the sender can become unclear.
Researchers found that attackers could exploit these weaknesses to disguise their identity and make messages appear to come from someone else.
The problem became even more serious when the messages reached smartphones. Both Android and iPhone messaging apps often compare sender information with contacts stored on the device. By carefully manipulating email addresses and adding special characters, attackers could trick the phone into displaying a trusted contact’s name instead of the real sender.
In some cases, researchers were even able to insert fake messages directly into existing text conversations with known contacts. This made fraudulent messages appear much more convincing because they seemed to come from someone the recipient already knew.
Fortunately, the attackers could not see any replies sent to these fake messages. Nevertheless, the ability to impersonate trusted contacts posed a significant security risk.
According to the researchers, the root of the problem is that there are no universal standards governing how emails are converted into text messages. This lack of consistency creates opportunities for mistakes and abuse.
Following the study, major carriers including Verizon, T-Mobile, and Google updated their systems to better handle sender information and prevent identity spoofing. Smartphone makers also addressed vulnerabilities in Google Messages and Apple’s Messages app.
Verizon has gone a step further and plans to completely phase out its email-to-text service by March 2027, eliminating one of the key pathways that enabled the attacks.
The researchers say the findings highlight a broader issue that many users do not realize: text messages are often assumed to be trustworthy, but the systems that deliver them do not always guarantee authenticity.
While the vulnerability has now been addressed, the study serves as a reminder that even long-established technologies can contain hidden weaknesses. By uncovering and fixing this flaw, researchers have helped make text messaging more secure for millions of smartphone users across the country.
