Hackers can fake a special kind of SMS message that usually comes from mobile operators and trick users into modifying device settings, and, as a result, re-route their email or web traffic through a malicious server.
This attack vector, discovered and detailed in a report published today by cyber-security firm Check Point, is about OMA CP instructions, also known as provisioning messages.
OMA CP stands for Open Mobile Alliance Client Provisioning. It refers to a standard through which mobile operators can send network settings to customer devices as special SMS messages.
The process of sending an OMA CP message is called “provisioning,” and takes place every time a new device is connected to a mobile operator’s network, or when the mobile telco makes changes to its internal systems.
But the OMA CP standard is also used by others. For example, large enterprises which manage their own phone fleets use OMA CP messages to deploy company-wide email or web proxy settings to all devices, so employees can access internal email accounts or intranet portals.
The OMA CP attack
But in research published today, Check Point researchers said they found that four smartphone makers have not implemented this standard in a secure manner on their devices.
Researchers said they were able to send OMA CP messages to devices from Samsung, Huawei, LG, and Sony, which accepted these messages, even if it didn’t come from a trusted source.
Of the four phone brands, the easiest devices to attack were Samsung smartphones. Check Point said this was because Samsung phones accepted any kind of OMA CP message, with no authentication or verification mechanism in place.
Devices from Huawei, LG, and Sony were a little bit more secure, as they required the sender of an OMA CP message to provide the phone’s IMSI code before accepting the message.
IMSI codes are 64-bit strings specific to each device, and in telephony networks, it can be the equivalent of an IP address, and is how mobile providers tell each user apart and how they re-route calls and SMS/MMS messages to each user.
These codes should, in theory, be hard to obtain, but Check Point said they are quite prevalent. First of all, mobile operators provide paid services through which they translate phone numbers into IMSI code for other third-party mobile service providers. This means an attacker seeking to attack a victim could obtain an IMSI from the telco provider itself for a small fee.
Furthermore, almost a third of all Android apps today have access to a device’s IMSI code based on permissions they require on install. Hackers can use IMSI codes acquired via malicious apps or data leaks at legitimate apps to target specific users with fake OMA CP messages.
Some vendors ship patches
The good news is that three of the vendors have patched or are in the process of patching this attack vector, after first being notified of the issue in March this year.
- Samsung included a fix addressing this phishing flow in their Security Maintenance Release for May (SVE-2019-14073)
- LG released their fix in July (LVE-SMP-190006)
- Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones.
Sony is the only vendor which did not ship a fix. Check Point claims the vendor “refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification.”
Sony Mobile did not return an email sent by ZDNet yesterday seeking additional comments from company regarding the Check Point report.
An attack that’s almost impossible to spot
The attack described by Check Point isn’t automatic, as users have to press a button and accept to install the attacker’s new device settings.
However, Check Point also points out that attackers can fake the sender’s identity and that recipients have no way realistic means to determine who sent these messages. This means there is a real risk that many users would accept new device settings, thinking they came from a real mobile operator.
All in all, this is an attack vector that very few users –if any — will be able to safeguard themselves against, and this is why patches from smartphone vendors are important.
In addition, Check Point also recommends that mobile operators block OMA CP messages at the network level, so these type of messages won’t be able to traverse their networks unless if they’ve been sent by the operator itself.
For the moment, the simplest action users can take to protect against rogue OMA CP provisioning messages is to decline all by default. If mobile network features stop working, such as MMS services or mobile data, users can then contact their telcos’ support centers and ask operators to re-send the provisioning messages again, knowing they are legitimate.
“Simply, we can’t trust those texts anymore,” Slava Makkaveev, Security Researcher at Check Point, told ZDNet.