Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

9/4/2019
02:40 PM
0%
100%

Android Phone Flaw Allows Attackers to Divert Email

Researchers find that a spoofing a service message from the phone carrier is simple and effective on some brands of Android smartphones.

Using text messages with embedded links, security researchers from Check Point Software Technologies recently discovered that spoofing messages from a phone carrier could be used to configure certain features, including e-mail and the directory server, of several brands of Android phones.

The attack uses over-the-air (OTA) provisioning messages, a technique used by carriers to deploy certain configurations to phones for their network: but the malicious attack exploits design weaknesses on several brands of Android phones, including Samsung, Sony, LG, and Huawei.

While OTA provisioning has been used in the past to set up wireless access point proxies to hijack traffic, this is the first time that an attack has been shown to hijack email on mobile phones, says Slava Makaveev, a security researcher with Check Point. 

"The ability to configure email and directory servers is a vendor-specific extension for the protocol," he says. "The email server provisioning is a design weakness." 

The security flaw puts users of the phones at risk if they trust the source of any over-the-air update. On a Samsung phone, an attacker could, without any sort of authentication check, change the MMS message server, the proxy address for Internet traffic, the browser homepage and bookmarks, the email server, and any directory servers for synchronizing contacts and calendar.

Sony, LG, and Huawei phones, meanwhile, pose only slightly higher hurdles for an attacker — a valid IMSI (international mobile subscriber identity), which is specific to the phone, but could be retrieved by an application with the right permissions, according to Check Point.

Even without the IMSI, there is a way to fool the user. "For those potential victims whose IMSI could not be obtained, the attacker can send each victim two messages," Makkaveev wrote in Check Point's technical brief. "The first is a text message that purports to be from the victim's network operator, asking him to accept a PIN-protected OMA CP, and specifying the PIN as an arbitrary four-digit number. Next, the attacker sends him an OMA CP message authenticated with the same PIN."

The underlying design flaw is that while requiring the user to accept the changes, all of these provisioning methods appear with all the trappings of an official message from the phone carrier - with the specific dialog box labeled "New Settings."

"When you first join a new carrier network, you'll get a warm, welcome message from your carrier — do not trust it," Check Point's Makkaveev said in statement. "People naively think those messages are safe. Simply, we can't trust those texts anymore." 

OTA provisioning is not part of the basic Android distribution but many carriers implement their own, as specified in the Open Mobile Alliance Client Provisioning (OMA CP) standard. However, the standard includes only a few ways to authenticate messages and makes the security check optional. 

Weak Authentication

Check Point researchers found that Samsung phones don't perfrom authentication checks on client-provisioning messages, and several other phone makers — including Huawei, LG, and Sony — have weak authentication using the IMSI, a semi-private identifier for the phone. Because of the weak authentication, the source of any over-the-air provisioning messages that come in cannot be verified, Check Point stated in its advisory.

"A recipient cannot verify whether the suggested settings originate from her network operator or from a dangerous imposter looking to read their emails," the company said

Check Point notified each phone provider in March and gave them a chance to update their software. Samsung patched its software in May and LG released a fix in July, according to Check Point. Huawei plans to fix the next version of their phones, and Sony did not consider the issue to be a vulnerability, Check Point said. 

In the past, patching of firmware has been a laborious process for Android phones. The original software maker has to patch the issue, the hardware make has to approve the fix, as does the carrier, and then the use has to update. For that reason, Check Point does not know how widespread the issue currently is, says Makaveev.

"We don't know how many people have downloaded the latest patches provided by Samsung and LG — we highly recommend they do that," he says. "Holders of Huawei and Sony devices are not protected at all."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: 'It Takes Restraint': A Seasoned CISO's Sage Advice for New CISOs

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
janettjworkman
50%
50%
janettjworkman,
User Rank: Apprentice
10/31/2019 | 2:53:01 AM
Thank you somuch
Thank you somuch
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...