Back to Events

New Vulnerabilities from Updating Old Systems

Speaker

Alex Liu
University of California, San Diego

Host

Henry Corrigan-Gibbs
CSAIL MIT

November 03 2025

12:00P - 1:00P

Location

32-D463
Stata (Star)

Abstract:
Email and text messages (SMS and MMS) are among the oldest and most widely used digital communication systems in the world. Over time, providers have continuously updated these systems to support new features such as email forwarding and rich communication services. Yet, while the feature set has steadily evolved, the underlying security protocols and threat models have largely remained unchanged and have not been revisited. In this talk, I demonstrate with two examples that this discrepancy can result in subtle but powerful vulnerabilities.

The first example studies vulnerabilities introduced by email forwarding, where an email is routed through a forwarding service before reaching its final recipient. We identify a range of security vulnerabilities in this process. We further demonstrate how attackers can exploit them to deliver spoofed emails to major providers (e.g., Gmail and Outlook) and spoof emails as tens of thousands of popular domains. The second example examines email-to-text gateways—services operated by mobile carriers that translate an email into a text message. We show that vulnerabilities in these gateways—combined with vulnerabilities in how phones parse messages—allow an attacker to deliver a text message with a spoofed sender identity of their choosing (e.g., arbitrary email address, phone number, or short code). The attacks we uncover work across a variety of phones (both Android and iPhone) and carriers (e.g., AT&T, Verizon, T-Mobile, and Google Fi). I end by discussing ongoing and future work on designing effective defense mechanisms.

Zoom info:

   Meeting ID: 945 5603 5878

   Password: 865039

Add to Calendar 2025-11-03 12:00:00 2025-11-03 13:00:00 America/New_York New Vulnerabilities from Updating Old Systems Abstract:Email and text messages (SMS and MMS) are among the oldest and most widely used digital communication systems in the world. Over time, providers have continuously updated these systems to support new features such as email forwarding and rich communication services. Yet, while the feature set has steadily evolved, the underlying security protocols and threat models have largely remained unchanged and have not been revisited. In this talk, I demonstrate with two examples that this discrepancy can result in subtle but powerful vulnerabilities.The first example studies vulnerabilities introduced by email forwarding, where an email is routed through a forwarding service before reaching its final recipient. We identify a range of security vulnerabilities in this process. We further demonstrate how attackers can exploit them to deliver spoofed emails to major providers (e.g., Gmail and Outlook) and spoof emails as tens of thousands of popular domains. The second example examines email-to-text gateways—services operated by mobile carriers that translate an email into a text message. We show that vulnerabilities in these gateways—combined with vulnerabilities in how phones parse messages—allow an attacker to deliver a text message with a spoofed sender identity of their choosing (e.g., arbitrary email address, phone number, or short code). The attacks we uncover work across a variety of phones (both Android and iPhone) and carriers (e.g., AT&T, Verizon, T-Mobile, and Google Fi). I end by discussing ongoing and future work on designing effective defense mechanisms.Zoom info:   Meeting ID: 945 5603 5878   Password: 865039 TBD

Organizer & Contact

Sheila Sharbetian
617-324-6747

Part of

Related Events