{"id":28870,"date":"2019-09-04T13:00:05","date_gmt":"2019-09-04T13:00:05","guid":{"rendered":"http:\/\/b06bd7b6-7f87-4a53-a1f5-d88074c83081"},"modified":"2019-09-04T13:00:05","modified_gmt":"2019-09-04T13:00:05","slug":"samsung-huawei-lg-and-sony-phones-vulnerable-to-rogue-provisioning-messages","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/samsung-huawei-lg-and-sony-phones-vulnerable-to-rogue-provisioning-messages\/","title":{"rendered":"Samsung, Huawei, LG, and Sony phones vulnerable to rogue ‘provisioning’ messages"},"content":{"rendered":"

\"smartphone<\/span><\/p>\n

Hackers can fake a special kind of SMS message that usually comes from mobile operators and trick users into modifying device settings, and, as a result, re-route their email or web traffic through a malicious server.<\/p>\n

This attack vector, discovered and detailed in a report published today by cyber-security firm Check Point, is about OMA CP instructions, also known as provisioning messages.<\/p>\n

OMA CP<\/a> stands for Open Mobile Alliance Client Provisioning. It refers to a standard through which mobile operators can send network settings to customer devices as special SMS messages.<\/p>\n

The process of sending an OMA CP message is called “provisioning,” and takes place every time a new device is connected to a mobile operator’s network, or when the mobile telco makes changes to its internal systems.<\/p>\n

But the OMA CP standard is also used by others. For example, large enterprises which manage their own phone fleets use OMA CP messages to deploy company-wide email or web proxy settings to all devices, so employees can access internal email accounts or intranet portals.<\/p>\n

The OMA CP attack<\/h3>\n

But in research published today, Check Point researchers said they found that four smartphone makers have not implemented this standard in a secure manner on their devices.<\/p>\n

Researchers said they were able to send OMA CP messages to devices from Samsung, Huawei, LG, and Sony, which accepted these messages, even if it didn’t come from a trusted source.<\/p>\n

\n<\/section>\n

Of the four phone brands, the easiest devices to attack were Samsung smartphones. Check Point said this was because Samsung phones accepted any kind of OMA CP message, with no authentication or verification mechanism in place.<\/p>\n

\"OMA<\/span>

\"OMA<\/span><\/p>\n

<\/noscript> Image: Check Point<\/span><\/p>\n

Devices from Huawei, LG, and Sony were a little bit more secure, as they required the sender of an OMA CP message to provide the phone’s IMSI code before accepting the message.<\/p>\n

IMSI codes are 64-bit strings specific to each device, and in telephony networks, it can be the equivalent of an IP address, and is how mobile providers tell each user apart and how they re-route calls and SMS\/MMS messages to each user.<\/p>\n

These codes should, in theory, be hard to obtain, but Check Point said they are quite prevalent. First of all, mobile operators provide paid services through which they translate phone numbers into IMSI code for other third-party mobile service providers. This means an attacker seeking to attack a victim could obtain an IMSI from the telco provider itself for a small fee.<\/p>\n

Furthermore, almost a third of all Android apps today have access to a device’s IMSI code based on permissions they require on install. Hackers can use IMSI codes acquired via malicious apps or data leaks at legitimate apps to target specific users with fake OMA CP messages.<\/p>\n

Some vendors ship patches<\/h3>\n

The good news is that three of the vendors have patched or are in the process of patching this attack vector, after first being notified of the issue in March this year.<\/p>\n