Some Android phones susceptible to settings attack, says security vendor

Security experts have warned for some time that SMS messages are used by attackers to carry links to malware. A report issued today by Check Point Software warns many Android phones have a vulnerability that could allow an attacker to fake a message from their wireless carrier that ends up changing their settings and hijacking their email.

The attack vector exploits a process called over-the-air (OTA) provisioning, which is normally used by cellular network operators to deploy network-specific settings to a new phone joining their network. However, Check Point found anyone can send OTA provisioning messages that can trick users into accepting new phone settings because the messages have limited authentication. As a result a victim approving a change of settings could suffer a number of consequences, including the routing of a victim’s email traffic through an attacker-controlled proxy.

Check Point said it has successfully tried this phishing attack method against smart phones from Samsung, LG, Huawei and Sony. Those manufacturers were notified in March. Samsung included a fix addressing the issue in their Security Maintenance Release for May (SVE-2019-14073). LG released its fix in July (LVE-SMP-190006). Huawei is planning to include fixes in the next generation of its Mate series or P series smartphones. Check Point said Sony refused to acknowledge the vulnerability, stating that its devices follow the Open Mobile Alliance Client Provisioning (OMA CP) specification.

The OMA is tracking this issue as OPEN7587.

To target some of the susceptible phones, the attacker needs to know the device’s International Mobile Subscriber Identity (IMSI) number, Check Point admitted, but added this may not be difficult. One way to get the IMSI number is by infecting a phone with an Android application having the READ_PHONE_STATE permission enabled.

Another way, Check Point suggested, is sending a victim two messages. The first is a text message that purports to be from the victim’s network operator, asking him to accept a PIN-protected OMA CP, and specifying the PIN as an arbitrary four-digit number. Next, the attacker sends the victim an OMA CP message authenticated with the same PIN. The change in client provisioning can be installed regardless of the IMSI, provided that the victim accepts the CP and enters the correct PIN.

Check Point is warning Android device users to be cautious about accepting SMS messages that appear to come from their carrier, particularly if they ask for permission to change settings. It also hopes to persuade the Open Mobile Alliance to publish guidelines to device manufacturers about improving client provisioning security.

SMS-based attacks aren’t new. They’re useful for attackers because, like email, many users trust the messages they receive. As far back as 2011 attackers were forcing mobile phones to send premium-rate SMS messages or prevent them from receiving messages for long periods of time by leveraging a logic flaw in mobile telecommunication standards.

Applications that use SMS for carrying codes for two-factor authentication, instead of using more secure methods like Google Authenticator, are also vulnerable because SMS messages can be intercepted. Just over a year ago some Reddit staffers were victimized through an SMS-reset scam.

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now