Weak mobile authentication opens the door to attack

A security shortcoming in many leading Android phones leaves users vulnerable to advanced phishing attacks, researchers at Check Point warn.

The security weakness creates a mechanism for counterfeit SMS messages posing as network configuration updates to compromise the security of phones from Samsung, Huawei, LG, Sony, and others.

Attackers could exploit the security weakness as part of an attack that would allow them to intercept email traffic to and from mobiles, among other exploits.

Booby-trapped SMS messages might be disguised as a seemingly innocuous “update network settings” text, supposedly sent from an intended target’s mobile network provider.

Check Point notified Android device manufacturers about the issue six months ago and mitigations have since been developed.

Over the top

The affected Android phones use over-the-air (OTA) provisioning, a technology that allows mobile network operators to deploy network-specific settings to a new phone joining their network.

However, Check Point Research found that the industry standard for OTA provisioning, the Open Mobile Alliance Client Provisioning (OMA CP), allows anyone can send OTA provisioning messages.

A lack of robust authentication allows potential attackers to pose as network operators before sending deceptive OMA CP messages to users.

These messages would trick users into accepting malicious settings that can, for example, route all their internet traffic through a proxy server controlled by an attacker, allowing the eavesdropping of emails.

Researchers found that some Samsung phones are the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.

The user only needs to accept the CP and the malicious software will be installed without the sender needing to prove their identity.

“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” said Slava Makkaveev, security researcher at Check Point Software Technologies.

“Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air provisioning.

“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” he warned.

Makkaveev told The Daily Swig that researchers who uncovered the mobile security weakness have “not found any evidence that this vector has been used in the wild for attacks”.

Roll call

Huawei, LG, and Sony phones do have a form of authentication checking, but hackers only need the International Mobile Subscriber Identity (IMSI) of the recipient to ‘confirm’ their identity.

Attackers can obtain a victim’s IMSI in a variety of ways, including creating a rogue Android app that reads a phone’s IMSI once it is installed.

The attacker can also bypass the need for an IMSI by sending the user a text message posing as the network operator and asking them to accept a pin-protected OMA CP message.

If the user enters the PIN number and accepts the OMA CP message, the software can be installed without an IMSI.

The researchers disclosed their findings to the affected vendors in March 2019.

Samsung included a fix addressing this phishing flow as part of a security update in May (SVE-2019-14073), LG released its fix in July (LVE-SMP-190006), and Huawei is planning to include UI fixes for OMA CP in the next generation of Mate-series or P-series smartphones.

Sony stated that its devices follow the OMA CP specification.

Block and tackle

In terms of defending or blocking attacks, Check Point advised that consumers should always be careful about what settings they approve and install on their phones, and ideally installing a mobile security solution for checking the networks they are connected to.

Corporates should consider deploying mobile security solutions that can block such exploits.

And on a global scale, the best approach is for mobile operators to drop all client provisioning messages from unauthorized parties.

Alternatively, smartphone vendors can discontinue support for the client provisioning protocol, Check Point concluded.

David Rogers, a mobile security expert and chief exec of IoT security consultancy and training firm Copper Horse, said that Check Point’s research ought to prompt a review of mobile network protocol specifications.

YOU MAY ALSO LIKE Android hacks eclipse iOS exploits on vulnerability marketplace