NSO Group’s Mysterious ‘MMS Fingerprint’ Hack Revealed


The “MMS Fingerprint” attack, a previously unidentified mobile network attack purportedly employed by spyware company NSO Group, is referenced in a single sentence in an agreement between NSO and Ghana’s telecom regulator.

Because the hack is claimed to work on all three major smartphone operating systems (Blackberry, Android, and iOS), it was believed to be independent of the operating system and, hence, related to the MMS flow itself.

WhatsApp’s popular encrypted messaging service found a flaw in its system that let hackers install Pegasus spyware on customers’ smartphones in May 2019.

A WhatsApp voice call exploited the vulnerability, which might compromise a device without the owner’s knowledge.

WhatsApp sued NSO Group in October 2019. Since then, the US Supreme Court and US appeals court have rejected the NSO group’s requests to stop the case.

Most of this content was studied and talked about in open spaces. However, certain specifics found in a copy of a contract between the Ghanaian telecom regulator and an NSO Group reseller were not discussed.

Document

Live Account Takeover Attack Simulation

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks

.


Agreement In The Records Of The Current Legal Dispute Between NSO And WhatsApp

“Within that contract, in Exhibit A-1, was a list of “Features and Capabilities” offered by NSO Group.

To telecom security specialists like us, these features were largely known; however, a feature title was (at first sight) unknown.

This was the ” MMS Fingerprint entry,” said Cathal McDaid, VP of technology at Swedish telecoms security firm ENEA.

NSO Group's Mysterious ‘MMS Fingerprint’ Hack Revealed
Agreement describing MMS Fingerprint Feature

There is one sentence labeled under ‘Infection Assisting Tools,’ an “MMS Fingerprint” feature in that document’s list of “Features and Capabilities” that the NSO Group provides. 

An MMS Fingerprint might function via,

  • Reveal the target device and OS version by sending an MMS to the device. 
  • No user interaction, engagement, or message opening is required to receive the device fingerprint.

Since not all phones were MMS-capable at the time, a part of the procedure uses the SMS flow to initiate the process, which then performs an HTTP GET to determine the exact location of the MMS payload.

According to reports, this HTTP GET contains user device information. It was believed that this might be when the MMS Fingerprint might be lifted, and information about specific devices could be disclosed.

NSO Group's Mysterious ‘MMS Fingerprint’ Hack Revealed
(HTTP GET) received from the targeted handset

With a few random sim cards, ENEA demonstrated that it was feasible, and it appears that the NSO Group’s claims are most likely accurate.

Researchers recovered the UserAgent and x-wap-profile fields of the device using this method. 

The OS and device are identified with the first. The second one links to a User Agent Profile file that lists a mobile device’s capabilities.

The researchers could hide the process by altering the binary SMS element to a silent SMS and modifying the TP-PID value to 0x40. As a result, the targeted person’s phone is empty, and no MMS content is visible on the targeted device.

“Attackers could use this information to exploit specific vulnerabilities or tailor malicious payloads (such as the Pegasus exploit) to the recipient device type Or it could be used to help craft phishing campaigns against the human using the device more effectively.”

According to their examination over the past few months, the company reported that it had not seen any usage of this vulnerability in the wild.

Recommendation

  • Mobile users can turn off MMS auto-retrieval on their cell phones to stop the device from connecting automatically.
  • Mobile operators might consider blocking internet access from devices via the MMS ports; even if the message was received, it would not connect to the IP address controlled by the attacker.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.





Source link