Attackers can abuse a special type of SMS messages used by mobile operators to deliver internet settings to Android phones to launch credible phishing attacks that result in users’ internet traffic being hijacked.
According to researchers from Check Point Software Technologies, some phone makers’ implementations of the Open Mobile Alliance Client Provisioning (OMA CP) standard allows anyone to send special provisioning messages to other mobile users with a $10 GSM modem and off-the-shelf software.
OMA CP messages allow mobile operators to deploy network-specific settings such as MMS message server, mail server, browser homepage and internet proxy address to new devices joining their networks.
When such a message is received, users are prompted to confirm that they accept the settings, but the researchers found there is no indication who the message is from on devices from Samsung, Huawei, LG and Sony.
This can enable some very credible phishing attacks since most users will just assume the message came from their operator and agree to install the settings.
The configuration can include a internet proxy controlled by the attackers, forcing the user’s internet traffic to be routed through that proxy. This would enable traffic snooping and other man-in-the-middle attacks.
The Android codebase does not include the functionality to handle OMA CP messages, so phone manufacturers have implemented this functionality on their own in the Android firmware for their devices.
Because of this, there can be differences in how these messages are handled, including the user interface, between devices from different manufacturers.
OMA CP supports optional authentication through IMSI (international mobile subscriber identity) numbers or PINs, but the Check Point researchers found that Samsung’s OMA CP implementation accepted completely unauthenticated messages. This meant that anyone could send a message to another subscriber and prompt them to install new network settings.
On the tested Huawei, LG and Sony devices, the OMA CP messages needed authentication, but this is not hard to bypass. IMSI numbers, which are used to identify subscribers inside mobile networks, are supposed to be private in theory, but they’re not.
Services on the internet provide reverse IMSI lookups that can reveal a user’s IMSI based on their mobile phone number, the researchers said.
Many legitimate Android apps have permission to read a device’s IMSI, so creating a rogue app to collect such numbers would not raise suspicion.
Even if an attacker cannot obtain a target’s IMSI, they can still launch OMA CP attacks by using the PIN authentication option. However, this would require two messages instead of one.
The first message would be a regular SMS impersonating the operator and telling users they are about to receive network settings protected with a PIN chosen by the attackers. The second message would be an OMA CP message protected with the previously communicated PIN and which the user now has to input to install the settings.
Fixes released by most smartphone vendors
Samsung has addressed the vulnerability in its May security patches, tracking it as SVE-2019-14073. The advisory notes that “all devices with all OS versions” are affected.
According to Check Point, LG also released a fix for the issue in July, Huawei is planning to make user interface changes for OMA CP messages in the next generation of Mate and P series smartphones, while Sony responded that its devices follow the OMA CP specification and this is not a vulnerability.
LG released its fix in July (LVE-SMP-190006). Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Sony refused to acknowledge the vulnerability, stating that their devices follow the OMA CP specification.
OMASpecWorks, the standards organization behind OMA CP, is also tracking the issue, according to Check Point. The organisation did not immediately respond to a request for comment.
“This attack flow enables anyone who has a cheap USB modem to trick users into installing malicious settings onto their phones,” the researchers said in their report. “We verified our proof of concept on the Huawei P10, LG G6, Sony Xperia XZ Premium, and a range of Samsung Galaxy phones, including S9.”
Mitigations for the SMS vulnerability
While firmware patches are available for some Samsung and LG devices, many out-of-support devices will likely never receive these updates and will remain vulnerable. The researchers told CSO there's a possibility the issue could also affect devices from other manufacturers that haven’t been tested, as they only tested devices from the Android market leaders.
On the client side, users should not accept and install internet settings since they can’t verify if the message came from their operator. You can configure these settings in Android manually and the correct settings can be obtained from your operator.
On the mobile network side, operators can block the delivery of OMA CP messages that did not originate from their own equipment.
Similarity to other attacks
There are some similarities between this attack and those involving other provisioning protocols for consumer equipment. For example, many routers and modems provided by ISPs to their customers support a protocol called TR-069 or CPE WAN Management Protocol (CWMP).
This functionality is usually hidden to the end-user and is used by the ISPs to push new configurations to subscriber devices or even to update their firmware. Various flaws have been found in TR-069 implementations over the years that could have allowed attackers to take over routers.
In terms of the attack’s impact, there is a similarity to the Web Proxy Auto-Discovery (WPAD) spoofing attacks. WPAD is a protocol developed by Microsoft in the late ‘90s that allows computers to automatically discover which proxy server they should use to access the Web.
Computers on the local network try to discover the location of proxy auto-config (PAC) files automatically using several methods including Dynamic Host Configuration Protocol (DHCP), local Domain Name System (DNS) lookups and Link-Local Multicast Name Resolution (LLMNR).
Attackers in a man-in-the-middle position can serve rogue responses to these queries and force computers to load a PAC file that defines an attacker-controlled proxy server. This in turn enables a variety of attacks.