Whenever you insert a new SIM in your phone and connects to your cellular network for the very first time, your carrier service automatically configures or sends you a message containing network-specific settings required to connect to data services.
While manually installing it on your device, have you ever noticed what configurations these messages, technically known as OMA CP messages, include?
Well, believe me, most users never bother about it if their mobile Internet services work smoothly.
But you should worry about these settings, as installing untrusted settings can put your data privacy at risk, allowing remote attackers to spy on your data communications, a team of cybersecurity researchers told The Hacker News.
Mobile carriers send OMA CP (Open Mobile Alliance Client Provisioning) messages containing APN settings, and other device configurations that your phone need to set up a connection to the gateway between your carrier's mobile network and the public Internet services.
For APN settings, the configuration includes an optional field to configure HTTP proxy that can route your web traffic through it, but many carriers use transparent proxies that don't even require this field to be set.
Besides proxy settings, OMA CP provisioning messages can also include configurations to change the following settings on the phone over-the-air (OTA):
- MMS message server,
- Proxy address,
- Browser homepage and bookmarks,
- Mail server,
- Directory servers for synchronizing contacts and calendar, and more.
According to a new report Check Point shared with The Hacker News, weakly-authenticated provisioning messages implemented by some device manufacturers—including Samsung, Huawei, LG, and Sony—can allow remote hackers to trick users into updating their device settings with malicious attacker-controlled proxy servers.
This, in turn, could allow attackers to easily intercept some network connections a targeted device makes through its data carrier service, including web browsers and built-in email clients.
"It takes only a single SMS message to gain full access to your emails," the researchers say.
"In these attacks, a remote agent can trick users into accepting new phone settings that, for example, route all their Internet traffic to steal emails through a proxy controlled by the attacker."
"Furthermore, anyone connected to a cellular network may be the target of this class of phishing attacks, meaning you don't have to be connected to a Wi-Fi network to get your private email data maliciously extracted by cyber attackers."
However, just like in case of setting up a proxy for a Wi-Fi connection, proxy settings for mobile data network are not used by every app installed a targeted device. Instead, it depends upon which app has been designed to accept the user-configured proxy.
Moreover, the proxy server would not be able to decrypt HTTPS connections; thus, this technique is suitable only for intercepting insecure connections.
"This is an entirely new classification of phishing attacks on our emails," said Slava Makkaveev, a security researcher at Check Point told The Hacker News. "It was difficult to classify the vulnerability at first because it's a deep specificity problem. It's probably the most advanced phishing attack on our emails I've seen to date."
Coming back to the weaknesses Check Point researchers identified in the authentication of provisioning messages, specifications the industry-standard recommends to make OTA provisioning secure doesn't mandate carriers to properly authenticate CP messages using USERPIN, NETWPIN, or other methods.
As a result, a message recipient (targeted user) cannot verify whether the OMA CP message with new settings has been originated from his network operator or an imposter, leaving an opportunity for attackers to exploit this weakness.
"More dangerously, anyone can buy a $10 USB dongle [send fake OMA CP messages] and execute a large-scale phishing attack. Special equipment is not required to carry out the attack," researchers explain.
"The phishing CP messages can either be narrowly targeted, e.g., preceded with a custom text message tailored to deceive a particular recipient, or sent out in bulk, assuming that at least some of the recipients are gullible enough to accept a CP without challenging its authenticity."
Researchers reported their findings to the affected Android phone vendors in March 2019. Samsung and LG have addressed the issue in their Security Maintenance Release for May and July respectively.
Huawei is planning to fix the issue in the next generation of Mate series or P series smartphones, while Sony refused to acknowledge the issue, stating that their mobile phone devices follow the OMA CP specification.
Even after getting patches, researchers recommended users not to blindly trust messages from your mobile carriers or APN settings available on the Internet claiming to help users with troubleshooting issues in data carrier services.
