Android phones vulnerable to provisioning SMS hijacking

By

Poor authentication allows attackers to change phone settings.

Researchers have discovered that newer Android phones are vulnerable to phishing attacks via binary Short Messaging Service (SMS) provisioning texts that can be used to alter crucial device settings and re-route data traffic.

Android phones vulnerable to provisioning SMS hijacking

Security vendor Check Point found that the Open Mobile Alliance Client Provisioning (OMA-CP) industry standard for provisioning does not provide a way for recipients to verify if the SMS messages arrived from a network operator or an attacker.

Through relatively inexpensive and simple means, attackers can craft OMA-CP extended markup language scripts sent via SMS that, if users accept them, can change settings such as the proxy server address, browser home page and bookmarks as well as email and directory servers for contacts and calenders.

Users who receive the SMS messages transmitted as Protocol Data Units (PDUs) won't be able to discern where they come from as the modal dialog presented on the device screen does not convey sender information.

OMA-CP is not part of the basic Google Android distribution, but Check Point said that many phone vendors add the feature to their customised versions of the mobile operating system.

While it's possible to add authentication to OMA-CP messages via unique International Mobile Subscriber Identity (IMSI) codes, or PINs, the over-the-air provisioning standard dating back to 2001-2009 does not require it.

Even with IMSI authentication, it is relatively easy for attackers to find out the identity codes.

Check Point alerted the makers of the device tested and of these, Samsung has pushed out a fix in its May security maintenance release, and LG released a patch in July this year.

Huawei said it plans to include user interface fixes for OMA-CP in the next generation of Mate and P series smartphones.

Sony meanwhile refused to acknowledged the vulnerability, saying its phones follow the OMA-CP specification.

Huawei P10, LG G6, Sony Xperia XZ Premium and Samsung's Galaxy range of phones were tested by Check Point.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
androidcheck pointgooglehuaweisamsungsecuritysonytelco/isp

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?