Most Android devices vulnerable to phishing attacks via SMS

Recently, we “pleased” iPhone users with BLEee security problems , but we are hardly supporters of any of the fronts in the eternal dispute Apple vs. Android, and are ready to tell "great" news about Android, if, of course, there is room for gloating in your soul.

Researchers at Check Point Software Technologies have discovered a vulnerability , presumably in more than 50% of Android-based devices, in the implementation of an auto-tuning mechanism for connecting to a mobile operator via OMA CP ( Open Mobile Alliance Client Provisioning) protocol, which allows an attacker to substitute at least the following parameters devices, carrying out a Man-in-the-middle attack using phishing :

• MMS message server;
• proxy server address;
• browser homepage and bookmarks;
• mail server address;
• contact and calendar synchronization servers.

OMA CP implementation

OMA CP is an OMA Device Management specification data transfer protocol developed in accordance with the Open Mobile Alliance mobile standard, using an XML-like SyncML ( Synchronization Markup Language ). OMA CP uses the WAP wireless protocol. The current version of OMA CP is 1.1 from 2009. At the same time, the exchange does not require that the smartphone has a SIM card or an Internet connection has been configured.

Attack vectors use the over-the-air (OTA) provisioning process of providing data to a mobile client, with which mobile operators set the necessary settings for devices connecting to the cellular network.

The standard provides a number of measures for the authentication of CP messages from the mobile services operator, but not all vendors implement them. At the same time, the measures themselves are not reliable.

Within Android, this protocol is implemented by omacp.apk .

According to the study, the underlying Android OS does not use OMA CP protection mechanisms, while most vendors resolve this issue on their own using OTA authentication. Therefore, if you like to reflash your device with stock Android, then now there is a reason to think.

Conditions and implementation of the attack

To send malicious OMA CP messages to the attacker, it is enough to have a GSM modem and be within the reach of the victim / victims. At the same time, both targeted attacks and broadcasting of requests for changing settings are possible.

NETWPIN authentication

With rare exceptions (discussed below about Samsung), messages from the operator are authenticated by providing the device with its own IMSI (Mobile Subscriber Identity, a unique 64-bit device identifier similar to the IP address in “these your Internet”).

How difficult it is to get IMSI is a separate issue, but there are at least the following methods:

• a malicious application on the device (in this case, permission in the manifest permission.READ_PHONE_STATE is enough);
• View victim’s SIM card;
• the use of ISMI-catcher, imitating mobile towers, which will require certain investments, but it is quite possible.

Upon receipt of the CP message, the user is not provided with any information about the sender, and the decision on legitimacy is decided solely by the victim.

USERPIN authentication

Even if the attacker does not have ISMI, then the following attack vector can be implemented:

• sending a message on behalf of the operator with a request to apply the settings;
• automatic request from the user of the PIN code by the system;
• sending a CP message with settings protected by a PIN code specified by the user.

Particularly distinguished

If most vulnerable smartphones use weak OMA SMS authentication mechanisms, then in some Samsung devices this protection was not implemented in principle at the time of the study (March 2019). An attacker could simply send a message requesting to configure the smartphone and provided that the user agrees with the installation, the parameters specified in the CP message would be applied. Currently, Samsung has released a security update to fix SVE-2019-14073. So, if you are not a fan of updates from a vendor or a fan of custom Android firmware, then it is better to take care of this problem.

Interestingly, Samsung is not the first case of this attitude to OMA CP security:

In Samsung Galaxy S4-S7, omacp ignores security restrictions, which leads to the use of unsolicited WAP Push SMS messages, which results in an unauthorized change in settings within the set of vulnerabilities SVE-2016-6542.

Counteraction

• The most brutal way: disabling the omacp application . But then the “curtain” of your Android may lose some of the notifications, which may be critical for you.
• If you do not use Samsung and stock Android (or suddenly a device of an unknown one-day Chinese brand), then in principle it will be enough to use your head wisely , because attack vectors imply your direct participation.
• Since this is essentially a MitM attack, most of the issues “pointwise” (at the critical application level) are solved using certificate pinning , although in practice many business applications neglect this method.

How's Apple doing? and philosophical question

Fortunately for the malevolent (no, it's not you) Apple-user, these devices use the Apple iOS profiles mechanism using certificates. Why is a similar protection system not used on Android devices? The question is more than interesting.