Recently, we “pleased” iPhone users with BLEee security problems , but we are hardly supporters of any of the fronts in the eternal dispute Apple vs. Android, and are ready to tell "great" news about Android, if, of course, there is room for gloating in your soul.
Researchers at Check Point Software Technologies have discovered a vulnerability , presumably in more than 50% of Android-based devices, in the implementation of an auto-tuning mechanism for connecting to a mobile operator via OMA CP ( Open Mobile Alliance Client Provisioning) protocol, which allows an attacker to substitute at least the following parameters devices, carrying out a Man-in-the-middle attack using phishing :
OMA CP is an OMA Device Management specification data transfer protocol developed in accordance with the Open Mobile Alliance mobile standard, using an XML-like SyncML ( Synchronization Markup Language ). OMA CP uses the WAP wireless protocol. The current version of OMA CP is 1.1 from 2009. At the same time, the exchange does not require that the smartphone has a SIM card or an Internet connection has been configured.
Attack vectors use the over-the-air (OTA) provisioning process of providing data to a mobile client, with which mobile operators set the necessary settings for devices connecting to the cellular network.
The standard provides a number of measures for the authentication of CP messages from the mobile services operator, but not all vendors implement them. At the same time, the measures themselves are not reliable.
Within Android, this protocol is implemented by omacp.apk .
According to the study, the underlying Android OS does not use OMA CP protection mechanisms, while most vendors resolve this issue on their own using OTA authentication. Therefore, if you like to reflash your device with stock Android, then now there is a reason to think.
To send malicious OMA CP messages to the attacker, it is enough to have a GSM modem and be within the reach of the victim / victims. At the same time, both targeted attacks and broadcasting of requests for changing settings are possible.
With rare exceptions (discussed below about Samsung), messages from the operator are authenticated by providing the device with its own IMSI (Mobile Subscriber Identity, a unique 64-bit device identifier similar to the IP address in “these your Internet”).
How difficult it is to get IMSI is a separate issue, but there are at least the following methods:
Upon receipt of the CP message, the user is not provided with any information about the sender, and the decision on legitimacy is decided solely by the victim.
Even if the attacker does not have ISMI, then the following attack vector can be implemented:
If most vulnerable smartphones use weak OMA SMS authentication mechanisms, then in some Samsung devices this protection was not implemented in principle at the time of the study (March 2019). An attacker could simply send a message requesting to configure the smartphone and provided that the user agrees with the installation, the parameters specified in the CP message would be applied. Currently, Samsung has released a security update to fix SVE-2019-14073. So, if you are not a fan of updates from a vendor or a fan of custom Android firmware, then it is better to take care of this problem.
Interestingly, Samsung is not the first case of this attitude to OMA CP security:
In Samsung Galaxy S4-S7, omacp ignores security restrictions, which leads to the use of unsolicited WAP Push SMS messages, which results in an unauthorized change in settings within the set of vulnerabilities SVE-2016-6542.
Fortunately for the malevolent (no, it's not you) Apple-user, these devices use the Apple iOS profiles mechanism using certificates. Why is a similar protection system not used on Android devices? The question is more than interesting.