Check Point analysts found that many Android devices (including Samsung, Huawei, LG, Sony, and possibly other manufacturers) are vulnerable to interesting kind of attacks. Attackers can hack smartphones via special SMS message.
The problem identified by the experts is related to the OMA CP (Open Mobile Alliance Client Provisioning) instructions. Mobile operators can send network settings in the form of special messages to client devices through this standard.Such messages may contain MMS server settings, proxy address, mail server, browser homepage and bookmark settings, servers for synchronizing contacts and calendar, and much more.
Check Point researchers found that four smartphone makers implemented this standard on their devices in an unsafe way. Samsung, Huawei, LG and Sony smartphones can receive OMA CP messages, even if they were received from an unreliable source.
“The easiest is to attack Samsung devices because they receive any OMA CP messages without any authentication or verification. Smartphones Huawei, LG and Sony are slightly better protected, since in their case the sender of the message should at least provide IMSI of the device”, — said Check Point experts.
Although theoretically IMSI codes are difficult to obtain, Check Point experts explain that nothing is impossible here. For example, mobile operators provide paid services with which they translate phone numbers into IMSI codes for third-party mobile service providers. That is, an attacker can get IMSI from the provider for a small fee.
Worse, almost a third of all Android applications have access to IMSI devices, as they requested and received appropriate permissions. This means that hackers can use IMSI codes obtained through malicious applications or data leaks.
Although the attack described by Check Point is not automatic (the user must press a button and accept the installation of the attacker’s new settings), the researchers warn that attackers can easily fake the sender.
“In fact, the recipient has no real way to determine who sent the message. Unfortunately, this means that many users will agree to change the device settings to new ones, believing that they are received from a real mobile operator”, — note Check Point researchers.
As a result, by changing the settings, the attacker can, for example redirect all the traffic from the victim through his malicious server. To implement such an attack, no special equipment is needed: a GSM modem (a USB dongle for $ 10, or a phone working in modem mode) and a simple script will be enough to send special SMS.
Fortunately, three out of four manufacturers identified in the expert report are already working to fix this problem:
- Samsung has included a patch for this problem in the May update kit (SVE-2019-14073);
- LG released its fix in July (LVE-SMP-190006);
- Huawei plans to make the necessary UI corrections for the next generation of Mate and P series smartphones.
The only manufacturer who is not going to fix the problem is Sony. Researchers explain that Sony engineers “refused to acknowledge the vulnerability, saying their devices comply with the OMA CP specification.”
Recommendations:
Check Point analysts not only recommend manufacturers to release patches, but aadvice users to install them. In their opinion, mobile operators should block OMA CP messages at the network level so that messages of this type would not be able to pass through their networks, unless they were sent by the operator himself. According to experts, at present, OMA CP messages cannot be trusted at all, and it is better fully reject them.