Over-the-air provisioning is the latest attack vector threatening your innocent Android mobe, according to Check Point today.
The Israeli threat intel biz reckons that a single malicious SMS can pwn a targeted device, allowing an attacker to do such nefarious things as intercepting emails, text messages and so on.
“Given the popularity of Android devices, this is a critical vulnerability that must be addressed,” thundered Slava Makkaveev, a Check Point researcher. “Without a stronger form of authentication, it is easy for a malicious agent to launch a phishing attack through over-the-air (OTA) provisioning.”
OTA provisioning, in Gemalto’s explanation of the term, is used to “communicate with, download applications to, and manage a SIM card without being connected physically to the card”. If you’ve ever received a text message from your mobile network telling you to reboot your phone or that new settings have been applied to your SIM, you’ve received an OTA update.
Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes… er, any fixes?
Check Point reckons that malicious folk could spoof these OTA provisioning updates. By exploiting the simple authentication measures in the industry-standard Open Mobile Alliance Client Provisioning (OMA-CP) spec, Check Point said, certain mobile handsets from Samsung could be targeted with a legit-looking message that appears to come from one’s mobile network – without requiring any authentication at all.
“When the user receives an OMA CP message, they have no way to discern whether it is from a trusted source. By clicking ‘accept’, they could very well be letting an attacker into their phone,” Makkaveev said.
Provided an attacker has the target’s IMSI (perhaps through deploying an IMSI catcher), the researchers claimed that Huawei, LG and Sony phones could also be pwned in the same way, as they authenticate the received message with the handset’s IMSI number.
Samsung patched the flaw after Check Point disclosed it in March, along with LG in July. Sony said its phones follow the published OMA-CP specs, according to the infosec biz, while Huawei is said to be pondering it.
Check Point claimed the vulns affected billions of devices. While possibly true from a theoretical point of view back in March when discovered, the majority of those will have incorporated the patches, either through routine updates or updates pushed (legitimately) from mobile networks. ®