News

Rogers “Extreme Text Messaging” Useful Features, Silly Name, and Glaring Security/Privacy Risks

There's a set of options that Rogers Wireless bundles under the heading "Extreme Text Messaging" - while it's not heavily publicized (apparently it's been around since 2010), it does include some very useful options. It also illustrates one of the more annoyingly-lazy product/service-naming trends (at least they didn't call it "Xtreme"), and opens Rogers customers up to some fairly serious security/privacy risks - but more on that aspect later.

The official instructions from Rogers focus on accessing the "Extreme Text Messaging" settings using the Rogers account management app for Android or iOS - but there's also a web-based option that can be accessed from any device with a browser, which is the method I'll focus on. The instructions say that you need to send a text message with specific content to a particular number, and then you'll get a reply back with the URL of the "Extreme Text Messaging" settings page - but it appears they always send the same URL, so you can go there directly instead: http://rogers.com/m/extremetext. The only requirement is that access that page from the device you're trying to configure, and that you access the page via Rogers' cellular network - so Wifi will likely need to be disabled on your phone first.

Most of the available options on that page are self-explanatory. You can setup an auto-reply for incoming text messages, or use the "Blocker" feature to block text messages from specific numbers, or setup Distribution Lists so that you can easily send messages to multiple people. That leaves the "Forwarding" and "Copy" features, which do much the same thing - but with some important differences. The "Forward" option allows you to specify another number to forward incoming text messages to - and after enabling, the messages stop being received at your regular number. And the "Copy" setting, on the other hand, lets you do the same thing - but you still receive copies of the messages on your regular number, and you can "copy" the messages to an EMail address as well (the "Forward" option only lets you specify another phone number as the destination).

One main caveat before moving on to the security and privacy issues: in typical Rogers fashion, information on additional costs/pricing isn't mentioned in any of the documentation that I could find. But I've never known Rogers to pass up an opportunity to nickle-and-dime their customers, so it's probably best to assume that there are additional charges - for example, if you have the "Copy" option enabled, Rogers will likely charge you twice for every incoming text messages (once for the receipt of the message, and again for forwarding it to the destination number).

 

Privacy/Security Implications

From reading the instructions above, you may have noticed one detail conspicuously-absent: any mention of needing a username or password to access the "Extreme Text Messaging" settings page. That's because there is no login required: you do need to have physical access to the phone and access to Rogers' cellular data network - but beyond that, Rogers doesn't appear to use any access restrictions to secure those settings (not even an option to protect those settings with a password). In other words, it would be trivial for anyone with even brief access to your phone to change any of settings mentioned above, without your knowledge; Rogers doesn't so much as send a confirmation SMS or EMail to inform customers that their settings have been changed. Strictly speaking, even physical access to the phone is not a requirement: software running on the phone (viruses/malware) would also have access to change any of "Extreme Text Messaging" settings, without any indication*.

This neglect of basic security principles opens Rogers' customers up to several potential abuses, while making stalking and online harassment significantly easier. Want to surreptitiously spy on someone's text messages? Just enable the "Copy" feature. Want to block someone's ability to receive text messages? Just enable the "Forward" feature. Want to try get someone's friends and family upset at them? Just enable an abusive/profane auto-reply message. In fact, the only feature that doesn't have obvious potential for malicious use is the "Distribution Lists/Group Messaging" option, but I have no doubt that someone could figure out ways to abuse that feature too, given enough time & motivation.

So what can individual Rogers Wireless customers do to prevent those types of problems? Not much, until Rogers gets around to securing those settings - and even then, I wouldn't hold my breath waiting for them to roll out modern security features like two-factor/out-of-band authentication. For now, the best protection is to keep an eye on those settings: if you're using Rogers Wireless, check the "Extreme Text Messaging" settings every now and then to make sure that no one has changed them.

 

*There is already malicious software for desktop PCs that works in a similar fashion, exploiting security flaws to modify the configuration of wireless routers. Doing something similar with a mobile application would be relatively simple, and malicious "copycat" applications are already prevalent on mobile software marketplaces.






Comments

Linux and Windows web hosting plans start at just $7.95/mo.