Huawei and Sony smartphones are prone to attack via ‘carrier settings’
According to security company Check Point, smartphones from Huawei and Sony are susceptible to an attack via the technique with which providers push settings for mobile internet to new phones. Samsung and LG have since closed the leak.
Check Point has tested the attack on the Xperia XZ Premium and Huawei P10, but it is obvious that the attack also works on other phones from these brands. The vulnerabilities were also in the LG G6 and various Samsung Galaxy phones, including the S9.
The attack takes advantage of a lack of authentication of ‘grandma cp’ messages. Oma cp, Open Mobile Alliance Client Provisioning, is the standard for messaging with which providers, for example, push settings for mobile internet to a phone that has just joined the network. It’s difficult for users and phones to determine whether a message comes from a carrier or from a malicious person. A ten dollar USB dongle or a phone in ‘modem mode’ is enough to send such messages.
Users must press a button before the software installs settings from a message. It is therefore not possible to change settings without user intervention. By taking over the settings of mobile internet, it is possible to set up a proxy server, through which an attacker can see all the traffic of the victim.
The manufacturers have known about the leak since March. Samsungs were the most susceptible because they showed all messages to the user. The other brands require an imsi number, a unique mobile device identifier, to pass the message on to a user. An attacker can get around this by sending a granny cp message with a pin code. That pin code is then in another message.
Samsung and LG have released patches, Huawei will start patching the next Mate phones. Sony denies that its devices are susceptible to the attack, because the manufacturer says it adheres to the granny cp specification. The Open Mobile Alliance has assigned the vulnerability the serial number OPEN-7587, Checkpoint says.