Every new user with a smashing new device will surely get a SIM card to get it working correctly as soon as possible. Depending on the SIM card being used, the new carrier would be handing over all his data automatically after configuration. And all it takes is a simple SMS that will plant malicious malware on your device without you noticing. The scheme is so good that no one could tell that it was taking place.
This is the work being done by a team of researchers at Check Point Security. They have discovered advanced phishing hacks in quite a few modern Android smartphones. Most of these attacks allow the attacker to deceive users into accepting new settings on their devices to leave them exposed to hacks such as traffic hijacking. Regardless of the prestige of the brand, no one is safe. Samsung, Huawei, LG, and Sony can all fall to it.
Finding the Weakness of Strong Builds
The way it happens is pretty simple: in these attacks, a remote user will trick another into accepting new settings on their smartphones. Most of the times, the attacker poses as the service provider. The changes induced by these attacks can route all the Internet traffic on a single device through a proxy controlled by the hacker. Such an attack requires leverage on the OTA provisioning process that is used to offer remote network-specific settings.
As described by Check Point Security, the attack vector needs a process named “over-the-air provisioning.” This is used by operators to release network settings to every new device joining their network. By following their scheme, they showed that anyone could send these messages and no one will be able to tell the difference. According to the firm, this happens because the Open Mobile Alliance Client Provisioning uses minimal authentication methods.
The firm also found out that most smartphones sold by popular brands such as Samsung, Huawei, LG and Sony (All Android users with a share of 50% on the market) have some of the weakest authentication methods for mobile carriers. The mobile carriers send OMA CP messages to smart devices with APN settings. The new device needs those to set up a connection between your carrier’s network and the Internet. That’s when the attacks could take place.
Carrying Out the Attack – The Reach and How it Happens
Access Point Name (APN) is the name used for the of a bridge created between a GSM, GPRS, a 3G or a 4G network and other computer networks. It also links our devices to the Internet. A smart device handling a data connection has to be configured with an APN to appear on the carrier’s end. These settings include an HTTP proxy that can be used by hackers to route web traffic from the device to other places.
The hacking system created by the Checkpoint allows remote attackers to trick regular users into updating their APN settings with proxy servers that place the devices under their control. The proxy could also enable the attacker to get a hold of network connections from a targeted device through the data carrier service. This would grant access to web browser histories and the email clients of the victim.
To make the attack come to fruition carry the hacker needs to send OMA CP messages. They would need to reach users with binary SMS messages using a GSM modem such as a USB dongle, or payphone working in modem mode. They would also need a script or off-the-shelf software that makes it easy to create the OMA CP. Each attack scenario for every brand is different, but they all do the trick. This is how it happens with the big brands:
As bad as it sounds to recognize it, this brand is the easiest one to hack. The hacker simply has to send the user a non-authenticated OMA CP message. The text will offer details with the malicious proxy, and that will be it. Since Samsung doesn’t have any form of authentication for their messages, cracking this one is easier than the rest.
Huawei, LG, and Sony
It gets a little trickier with these brands since the hackers need the International Mobile Subscriber Identity (IMSI) to target Huawei, LG, or Sony smartphones. They can still carry out a phishing attack nonetheless. They have to deal with OMA CP messages that include the security header that enables the validation of the CP’s authenticity with the IMSI number of the user. If it happens this way, the user is lost again.
Authentication with PIN Number
Sadly this is the scheme in which most people would fall. Any potential user that can’t be reached via IMSI will receive two SMS messages. It will look completely harmless, and it will seem like something coming from your network operator. It will ask users to accept a PIN-protected OMA CP It will also specify a PIN as a four-digit number. After that, the hacker will send the user an OMA CP message with the authentication using the same PIN. This will hand over control to the attacker completely over any of the user’s settings.
All the information provided by Check Point Security is to create awareness of the dangers of incurring in modern cybersecurity. A complete description of their findings can be found in a public report on their website.