Home

Published

- 3 min read

Spoofing - OMA Client Provisioning

offensive security Pentesting cybersecurity
img of Spoofing - OMA Client Provisioning

Many older devices still vulnerable, complete exposure of all traffic.

OMA Client Provisioning SMS

Older attack that will continue to work on a range of devices. It has a Social Engineering component - that’s a second SMS, where the attacker will identify as Service Provider or Company IT - sending a PIN like 1234 along with instructions to allow the new APN settings. It can be done on larger scale, for some devices the attacker needs the IMSI to succesfully make it, in the past there were websites that had IMSIs for quite a few mobile numbers. We didn’t come across breach data dumps containing IMSI numbers on a scale yet, but from experience we think it’s safe to assume, those exist and circulate on the DarkNet.

As an attacker, you need to be able to send a binary SMS to make this attack. You then can set a Proxy and Port settings, along with the default browser, homepage and some other settings like audio, when the attack works. This is pretty powerful towards non-technical victims, yet with TLS and certificate checks being standard (think about replacing an App-Store download via MitM or credential / cookie snorting), it’s mostly an untargeted phishing attack, resp. a surveillance method. That’s why it’s not that interesting for Red.

“We only care about touchless knockouts: remote code execution and zero-click vulns. Just kidding.”

Samsung devices were found to be most vulnerable, still in 2019, not requiring an IMSI to allow OMA provisioning. That means, lots of older devices, continued to be used or circulating on 2nd hand markets like eBay, are vulnerable. Sony didn’t react to a new vuln report in 2019, current status unknown, we didn’t research further. Also in 2019 around 50% of devices in use were found to be vulnerable, today it’s likely 20-30% (estimated).

Not only an attack

Regular provider configuration may use this technique to push APN settings onto the device, also asking for PIN entry. The entire process is identical, users have no way to tell if it’s legitimate during the (potential) attack phase. When you get a new SIM card, also eSIM, it’s technically needed, so you need to pay attention, when you allow this. You can check APN settings on your device, after you confirmed it (in settings => APN), look out for Proxy and Port which should be empty. MMS settings may contain a provider IP address and a port in the url - that’s not suspicious even though it may look like. You can verify the IP belongs to your provider using online tools. Modern providers require only a single setting like internet and no other technical details.