My COVID Test & Why SMS Results are Bad

Getting COVID Tested

A few weeks ago I came down with a cold. As some of the symptoms invariably overlapped with COVID, I decided to get tested.

Only drive-through clinics display a ‘no GP-referral required’ tag – my nearest clinic didn’t, so I made a quick call to the hospital to confirm. Speaking to a human being wasn’t necessary – a pre-recorded message confirmed that a referral wasn’t needed.

Image Source: NSW Health

When I arrived at the clinic, I was instructed to take off my mask and instead wear one included in the paper bags allotted to each visitor to the clinic. Each bag contained five masks and a pamphlet. I donned the mask and proceeded to the registration room.

“Thanks for coming in and doing the right thing,” assured the man behind the counter. The registration process was speedy, but a little uncomfortable (as always, whenever I need to recite my personal information aloud).

The clinic staff were professional and highly efficient. After confirming my details, I was directed to follow the instructions included on the pamphlet to register for results via SMS before the end of the day. Before I thought to ask if there were other ways to receive results, I was called into the next room for my covid test.


Registering for SMS results

The pamphlet included in the bag only included instructions for registering for results via SMS. As I’d been instructed to register for results in the same day, it was the first thing I did as soon as I got home.

Image Source: NSW Health COVID-19 Test Pamphlet

No other alternatives for receiving results were mentioned – not on the pamphlet, not when I was instructed by the person confirming my personal details. It was only after registering (too late) that I realised that I should have checked whether ways of getting results were available.

A quick google search revealed that it was possible to register for results via email or push notification on the Service NSW phone app (both methods requiring a Service NSW account).

Too late – I’d already registered via SMS. The only consolation was that the only complete piece of personal information provided during registration was my DOB – other than that, only my surname, area code and sex were disclosed.

I received my results within 24hrs – testing negative (thankfully).

Why Doing Anything via SMS is a Bad Idea

Image Credit: @markuswinkler (unsplash)

SMS messaging is unencrypted, and uses cellular networks to transmit and receive messages. This method of messaging is prone to interception or redirection.

Bad actors can hack phones using SMS messages by way of SS7 attacks, SMS spoofing is not only easy but freely accessible (see: spoofing apps), and fake cell phone towers can easily be set up with minimal effort (for about $20-30).

Messaging apps, on the other hand, use encryption in additional to following internet protocols (most secure of them being E2EE) to ensure that even if intercepted, messages cannot be read without the corresponding key.

(Related note: If you’re an Android user, be sure to check out the Silence messaging app as covered in my 5 Messaging Alternatives to WhatsApp article. It’s a free encrypted SMS messaging app developed by Signal.)

While SMS has been around for a long time (since 1992), security-wise there haven’t been many improvements made in almost 30 years – with the exception of RCS. RCS (Rich Communication Services) is a new SMS messaging protocol that was approved back in 2008 and “fully adopted” in 2016.

That being said, Vodafone reported launching RCS in an early 2018 press release but as recently as last year confirmed it still hadn’t rolled out to Australian customers. Of the Australian telecom providers Telstra was the earliest adopter (in 2017), but even then there have been multiple reports of issues of RCS being enabled on select devices/OS builds.

Despite being reportedly unsecure for years now, SMS verification is still widely used by many companies for 2FA (2-factor authentication). However, if SMS is the only available option, it’s still better than nothing.

Published by Tech Neck Nick

I'm a cybersecurity major postgrad student from Sydney, Australia. Support my fight against Writer's Block.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: