Back from Black (Hat)
We’re back from Black Hat Europe ’09; as always it’s been an interesting experience.
In the next few days we’ll post here the details of the work we presented there (“Hijacking Mobile Data Connections”), but since a few articles have been published, we feel that stressing a few concepts is needed.
The attack we presented does not rely on a single vulnerability but is the result of the possibility of “abusing” a standard protocol that allows for mobile devices remote reconfiguration.
The problem affects all the devices which sports an OMA Provisioning client and that are used on a network that doesn’t implement effective filtering of provisioning messages coming from untrusted sources; the brand, model and other similar details play a marginal role in all this.
In our opinion, support for OMA provisioning is not a problem ‘per se’, but it is rather the ability to abuse it that should be regarded as the problem.
So, the handsets could be considered more as possible targets of the attack, rather than the root cause of the problem itself. Some improvements on the handset side could help in mitigating the problem, but they could hardly entirely avoid this kind of attack.
The ability to process OMA provisioning messages really depends on several factors: brand, model, firmware version; providing explicit indications on which handset is a possible target could be easily prone to error.
As far as we know a large number of models, from different Manufacturers, support the provisioning client, but, in order to avoid possible misunderstanding, we prefer not to mention brand and models unless specific vulnerabilities in the client are identified.
In summary: support of the OMA provisioning client, as specified in standard, along with the possibility to receive provisioning messages from untrusted sources, should be the main criteria for evaluating a risk scenario.
Stay tuned for the rest of the story.