Sci-tech

Samsung, LG, Huawei and other Android phones vulnerable to SMS phishing attacks

Samsung, LG, Huawei and other Android phones vulnerable to SMS phishing attacks”

Even after getting patches, researchers recommended users not to blindly trust messages from your mobile carriers or APN settings available on the Internet claiming to help users with troubleshooting issues in data carrier services.

Sony meanwhile refused to acknowledged the vulnerability, saying its phones follow the OMA-CP specification.

Researchers determined that certain Samsung phones were the most vulnerable to this form of phishing attack because they do not have an authenticity check for senders of OMA CP messages.

According to a new report Check Point shared with The Hacker News, weakly-authenticated provisioning messages implemented by some device manufacturers-including Samsung, Huawei, LG, and Sony-can allow remote hackers to trick users into updating their device APN settings with malicious attacker-controlled proxy servers. "Samsung phones compound this by allowing unauthenticated OMA CP messages as well", the researchers say in a report released today.

The phishing CP messages can either be narrowly targeted, for example, preceded by a custom text message carefully crafted to fool a specific individual, or sent out in bulk, in the hope that at least a few of the recipients are gullible enough to accept it without questioning its legitimacy.

In terms of defending or blocking attacks, Check Point advised that consumers should always be careful about what settings they approve and install on their phones, and ideally installing a mobile security solution for checking the networks they are connected to.

To run an attack, the threat actor would need a GSM modem (priced around $10) or a phone running in modem mode to send binary messages, and a simple script to compose thee OMA CP. Coming back to the weaknesses Check Point researchers identified in the authentication of provisioning messages, specifications the industry-standard recommends to make OTA provisioning secure doesn't mandate carriers to properly authenticate CP messages using USERPIN, NETWPIN, or other methods.

Samsung, LG, Huawei and other Android phones vulnerable to SMS phishing attacks

To target some of the susceptible phones, the attacker needs to know the device's International Mobile Subscriber Identity (IMSI) number, Check Point admitted, but added this may not be hard.

Attackers can obtain a victim's IMSI in a variety of ways, including creating a rogue Android app that reads a phone's IMSI once it is installed.

Devices from Huawei, LG, and Sony were a little bit more secure, as they required the sender of an OMA CP message to provide the phone's IMSI code before accepting the message.

However, Check Point's researchers demonstrated that anyone can send OTA provisioning messages.

"Given the popularity of Android devices, this is a critical vulnerability that must be addressed", said Slava Makkaveev, security researcher at Check Point Software Technologies. On the mobile network side, operators can block the delivery of OMA CP messages that did not originate from their own equipment.

Samsung patched the flaw after Check Point disclosed it in March, along with LG in July.

Huawei is planning to include UI fixes for OMA CP in the next generation of Mate series or P series smartphones. Samsung and LG already rolled out an appropriate fix.



Like this

loading...
loading...

Latest


06 September 2019
Karan Johar casts newcomer Lakshya in ‘Dostana 2’
The fog of secrecy, fortunately, has been lifted as the producer-director has made his new find known to the world. The debutant has a four-film deal with Dharma Productions that will include movie projects and digital projects.

06 September 2019
Steam Library Update Coming September 17
Valve will soon introduce an entirely refreshed way to manage your Steam games, including VR titles. Certainly I know I have trouble navigating the hundreds of games in my library.

06 September 2019
Tom Holland has FINALLY spoken about his girlfriend Olivia Bolton
The current Spider-Man animated series on Disney XD also has Peter mentoring Miles, with both of them attending Horizon High. Of course, Spider-Man fans' worlds were rocked when it was announced that Sony and Marvel were splitting over Spider-Man .

06 September 2019
Total and Associates Greenlit Russian Artic LNG 2 Development Venture
Founded in 1994, Novatek describes itself as the largest independent natural gas producer in Russian Federation . "The Japanese government will provide all necessary assistance for the realization of this project", he said.

06 September 2019
Vegetarians, vegans have higher stroke risk than meat eaters, study claims
In addition, those who eat only fish and practice a no-meat diet, also called a pescatarian diet, show a 13 percent reduced risk. The rest, a little more than half, were on a traditional diet featuring a variety of meat, legumes, fruits and veggies.

05 September 2019
Mike Mayock Has Succinct Message About Antonio Brown Status
The Raiders traded the Steelers for Brown in the offseason and took on a ticket to what has been a roller coaster, thus far. Brown caught at least 100 passes and exceeded 1,200 receiving yards in each of the past six seasons with the Steelers.

05 September 2019
US Middle East Envoy Jason Greenblatt Leaving Trump Administration
The plan already is facing rejection by Palestinian officials, who object to strengthening ties between the US and Israel. The White House peace effort initially operated largely in isolation from the rest of the USA foreign policy apparatus.

05 September 2019
Health officials in BC continue to monitor the dangers of vaping
In addition, the agencies vowed to share more information about reported cases of the lung illness with state officials. Last week, MDHHS announced an investigation into six lung infections that were tied to e-cigarette and vape use.

05 September 2019
Nadal into semis after big fight from Schwartzman
Nadal battles Argentine Diego Schwartzman in the quarterfinals Wednesday at Flushing Meadows. Schwartzman, known to be an excellent serve returner, had no aces and only one double fault.

05 September 2019
2020's iPhone SE upgrade won't bring edge-to-edge display
Poor iPhone sales in recent quarters have hurt Apple a bit , but it's trying to make it up by ramping up its services portfolio . Those iPhones look nice, but they're not an accurate representation of the iPhone 11 models Apple will unveil next week.