The industry standard for this provisioning is Open Mobile Alliance Client Provisioning (OMA CP). It was last updated in 2009 and only has a limited number of basic authentication methods that validate the sender of these OTA provisioning messages.
The researchers at Check Point found out that a hacker/attacker can pose themselves as network operator to send messages to users and exploit them into accepting network settings – which will expose their emails. Just a simple SMS message and click is all it takes for an attacker to read all emails of an Android user, the researchers mentioned.
How crucial is the risk?
The co-founder of Human Firewall, Ed Tucker said that although this is not a relatively new threat in the digital world but the potential scale of it is massive, which leaves millions of people at absolute risk. He also mentioned that one of the factors why it is critical is that people tend to fall for SMS-based phishing, believing the SMS is actually from their network provider.
He said, “how many users will even stop and think, let alone recognize the potential risk involved in blindly accepting the authenticity of the message”. While email phishing does not really have much impact because of awareness among people, SMS phishing is a new topic.If an individual’s emails are seen by an intruder or hacker, they can most probably get access to their bank details and other accounts.
Stuart Peck, who is the director of cybersecurity strategy at ZeroDayLab also raised the same concerns. Mr. Peck said, “It’s pretty serious as it would give an attacker a lot of options to control or maliciously manipulate the targeted device, especially on Android devices where there is no verification required from the sender”.
Android smartphones with higher vulnerability factor
Researchers found out that Samsung smartphones are the most vulnerable among all Android phones. The reason being, Samsung does not perform any sort of authenticity checks to verify if the sender of these provisioning messages is a poser or real. This is an unfortunate news, given the fact that Samsung is the biggest contender in the Android smartphone market.
Once a user accepts the message, the sender can simply reroute the internet traffic of the smartphone and intercept it as he/she pleases. On the other hand, LG, Sony and Huawei do require authentication of the sender. They user International Mobil Subscriber Identity (IMSI) to do but even this method has it flaws. IMSI can be easily obtained by using several applications.
How can Android users mitigate the risk?
Although there is no doubt that the vulnerability risk exists but it does not automatically mean that you will be targeted or exploited. All of these findings were disclosed to the mobile companies in March of 2019 and as a result, they are takings steps to eradicate risks. A fix for SMS phishing has been addressed by Samsung for its Security Maintenance Release in May, and LG has released their fix in July, Huawei will be include UI fixes in the next generation Mate-series or P-series phones.
In regard to this, Tucker said, “The real drive needs to be with the device manufacturers to mitigate such weaknesses and push users to update as quickly as possible”. And last but not the least, users should also try to remain more cautious, read the SMS messages properly and not respond before getting in touch with the network provider.