At this point you’ve been drilled on the hallmarks of phishing attacks: be suspicious of badly written emails littered with typos, don’t click on suspect links, and check the domain a message has been sent from.
But phishing attacks aren’t just limited to email – there has also been a flood of Google Calendar accounts being hit with spam messages. Now researchers have found a flaw that, if exploited by hackers, would have flipped the entire concept of phishing attacks on its head.
Security researchers at Check Point have discovered an issue with Android devices that could allow would-be hackers to send fake messages that appeared to be from network providers. The issue affected Android phones from Samsung, Huawei, LG and Sony.
The researchers say their proof-of-concept research worked on the Huawei P10, LG G6, Sony Xperia XZ Premium and Samsung phones including the S9, when they tested it. They say the issue may have impacted up to half of Android phones. There are more than 2.5 billion Android devices in use around the world.
“It needs only a cheap USB dongle with SIM card,” says Slava Makkaveev, a security researcher at Check Point who was behind the work. “There are many freely available software tools to generate client-provisioning SMS messages. It’s enough to send crafted SMS messages and attack a phone anywhere in the world.”
Through a weakness in a process called over-the-air (OTA) provisioning it was possible for the researchers to send notifications to the phones saying new network settings needed to be installed. OTA provisioning is a way of downloading and installing content over a wireless network; mobile phone operators usually the technique to push out changes to MMS messages, proxy addresses and the servers for updating emails and syncing contacts and calendars.
Updates sent via OTA provisioning are frequently distributed using a standard called Open Mobile Alliance Client Provisioning (OMA CP). The standard is governed by the Open Mobile Alliance – a forum of mobile industry companies that decide some of the underlying standards used by networks. According to its website the OMA CP is in version 1.1.
“The main original use case for OTA provisioning is to deploy operator-specific settings, such as the address of the operator’s MMS service center,” write Check Point security researchers Makkaveev and Artyom Skrobov in a short research paper. “Enterprises, too, use this facility to deploy settings such as email server addresses to the employees’ devices.”
The attack was decidedly simple. To send messages requesting network settings changes all that’s needed is a GSM modem – this can be a phone set in a modem mode or a USB-dongle version, which can cost as little as $10 (£8).
Once set up the modem is used to send out SMS messages and a script is used to compose the OMA CP message. On the phone’s screen a pop up appears saying settings needed to be installed. Users would have two choices: install or cancel. The prompts issued by OTA provisioning are the sort a phone user is likely to trust – they look like regular device settings updates – and quickly tap install on.
By installing the ‘updates’ settings could be changed to allow access to a phone’s emails, messages and settings, the Check Point researchers say. “The phishing CP messages can either be narrowly targeted, e.g. preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity,” Skrobov and Makkaveev say.
On Samsung phones the researchers could send update messages to phones without any authentication needed. For other phones to be targeted potential attackers would have another hurdle to overcome: some OMA CP messages require a PIN to allow settings to be changed. The researchers say this could be bypassed by sending a fake message that looks like it’s from a network operator and contains a PIN for an upcoming update.
So how likely was the issue to be exploited by hackers in the wild? So far no reports of OTA provisioning messages have been reported by security companies or users, meaning it’s unlikely to have been used. And now, phone manufactures have updated their systems to require greater user approval when network settings need to be changed.
Check Point says it told phone manufacturers about the problem in March and most of the companies have now introduced a fix. Samsung’s SVE-2019-14073 security patch in May sorted the issue, as did LG’s LVE-SMP-190006 in July.
The company says Huawei is including fixes in its next Mate and P series smartphones – the Mate 30 phone, which won’t include Google’s services, is due to be released on September 19. Only Sony hasn’t addressed the flaw in the code, Checkpoint says. We have requested comment from all the companies impacted and will update this story when we hear more.
More great stories from WIRED
🍔 World-class chef rates the best vegan burgers in the UK
😡 TikTok is fuelling India’s deadly hate speech epidemic
🍫 The foods you’ll really need to stockpile for no-deal Brexit
♻️ The truth behind the UK’s biggest recycling myths
🤷🏼 How is the internet still obsessed with Myers-Briggs?
📧 Get the best tech deals and gadget news in your inbox