Stay up to date on IT-Security – man in the Middle Attack on SmartPhones via OMA CP SMS (Open Mobile Alliance Client Provisioning) to change APN (Access Point Name = Mobile Internet Proxy)

11.Sep.2019

android, Apps Android Smart Phone, CyberSec / ITSec / Sicherheit / Security / SPAM

Stay up to date on IT-Security:

SmartPhones sind wie komplette Computer – Plus: noch weiterer Funktionen.

D.h. eigentlich muss man die IT-Security von SmartPhones genauso handhaben wie die aller anderer Computer. D.h. Regelmäßige Updates (automatisch oder halb-automatisch, Virenscanner, Firewall… you name it)

Nun zur Sicherheitslücke: SMS welche Internet (APN Proxy) Einstellungen vom Telefonie-Anbieter (Vodafone, O2) versendet werden (sogenannte: OMA CP SMS (Open Mobile Alliance Client Provisioning)) können auch von Angreifern verschickt werden, um den Internet-Traffic des Users über den Server des Angreiffers zu leiten und z.B. PayPal Zugangsdaten mit zu schneiden. (im Video wird Beispielhaft gmail.com verwendet)

“Normalerweise” wenn man so eine SMS erhält muss man auf “INSTALL” klicken.

Das sollte man ab sofort nur noch direkt nach Absprache mit Vodafone oder O2 tun.

Checkpoint Security “researchers reported their findings to the affected Android phone vendors in March 2019. Samsung and LG have addressed the issue in their Security Maintenance Release for May and July respectively.

Huawei is planning to fix the issue in the next generation of Mate series or P series smartphones, while Sony refused to acknowledge the issue, stating that their mobile phone devices follow the OMA CP specification.

Even after getting patches, researchers recommended users not to blindly trust messages from your mobile carriers or APN settings available on the Internet claiming to help users with troubleshooting issues in data carrier services.”

https://thehackernews.com/2019/09/just-sms-could-let-remote-attackers.html

Artikel von Checkpoint Security: https://research.checkpoint.com/advanced-sms-phishing-attacks-against-modern-android-based-smartphones/

Demo Video von Checkpoint Security: https://youtu.be/3G5NXGMLKvE

liked this article?

only together we can create a truly free world
plz support dwaves to keep it up & running!
(yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
really really hate advertisement
contribute: whenever a solution was found, blog about it for others to find!
talk about, recommend & link to this blog and articles
thanks to all who contribute!

admin