[ad_1]
Android smartphones from several manufacturers, including Samsung, Huawei, LG and Sony, are susceptible to advanced type attacks that can alter device settings via a short text message.
Bad actors can exploit the weakness to send seemingly notifications from the mobile operator and entice users to accept what looks like a network-specific configuration. This could tell the device to route traffic through a malicious proxy.
Mobile operators can transmit messages to a client terminal via the Open Client Alliance Client Provisioning (OMA) protocol. It uses live communication (OTA) and requires minimal interaction from the recipient.
Check Point researchers found that the process of providing a mobile phone operator (OTA) was not equipped with a powerful authentication mechanism to validate messages originating from the network operator and not an unauthorized party.
In second-generation (2G) cellular technology, for example, there is no mutual authentication between the terminal and the network; only the phone must do this, but the operator is not required to authenticate with the terminal.
Popular phone brands likely
The researchers found that phones from Samsung, Huawei, LG and Sony, which cover more than 50% of the Android phone market, can receive malicious settings via poorly authenticated provisioning messages. "Samsung phones are worsening this situation by also allowing unauthenticated CP OMA messages," the researchers said in a report released today.
To launch an attack, the actor of the threat would need a GSM modem (sold for around $ 10) or a phone running in modem mode to send binary messages, as well as to send a message. a simple script to compose your OMA PC.
OTA provisioning messages can be used to change the following settings on the phone:
• MMS mail server
• MMS mail server
• Proxy address
• Home page of the browser and bookmarks
• Mail server
• Directory servers for synchronizing contacts and calendar
Hackers targeting Samsung phones can send malicious messages without having to authenticate. If users accept the CP, the phone settings will be changed.
.png)
For other phones, an attacker would need International Mobile Subscriber Identity (IMSI) numbers for potential victims to deploy the same attack as for Samsung phone users. Several methods exist to obtain the IMSI number.
The researchers said the OMA CP messages had an optional security header that validated the provisioning message. This must be authenticated with the IMSI number.
This check, however, does not help the user in any way, as it will not see any details to identify the sender.
Otherwise, if the IMSI number can not be obtained, the attacker has another way to deploy the attack, but this involves sending two messages to the victim.
"The first is a text message purporting to come from the victim's network operator, asking him to accept a PIN protected OMA PC and specifying the PIN as an arbitrary four-digit number." The attacker sends him an OMA CP message authenticated with the same PIN code.This CP can be installed independently of the IMSI, provided the victim accepts the CP and enters the correct PIN. "
In March, Check Point informed the vendors impacted by this vulnerability attack. Samsung and LG have already deployed an appropriate fi
Huawei devices continue to be attacked as the company plans to fix the weakness of the next generation of Mate or P smartphones.
Sony has not recognized the flaw, motivating the fact that their products comply with the CP OMA specification.
[ad_2]
Source link