How a Single SMS can Break your Samsung Galaxy Phone with WAP Crap

Samsung Galaxy

Security researchers from Contextis have revealed a bug in Samsung galaxy phones that can be triggered remotely using SMS.

Samsung’s mobile security team has been quick to solve the problems and gave a good example of how coordinated information should be communicated.

OMA CP Protocol

Protocol For a large number of uses, WAP Push can be used to transport information. Researchers ‘ application was the Open Mobile Alliance Client Provisioning (OMA CP) Protocol which allows remote gadget supply and setup.

Now let’s see if in reality it works. For Samsung Galaxy phones, including the newest phone at the moment, the “omacp” software manages OMA CP messages.

Researchers have used their SMS test rig to verify and send such custom OMA CP SMS messages to gadgets.

As it happens, our program was able to send these messages to these devices and they were received and interpreted correctly given the specifics of encryption in the message and the security area of the message was entirely ignored.

Analysis

The omacp software has then been evaluated to find any code sources that identify configurations without the cooperation of the user. There were some pieces of information which could be conceivable, for example, a “xcpSetBgInstall” search that provides insights into an imaginable context installation.

A resource called xcpInstallWifiSetting often tended to be reliably named if the configuration message had settings.

OTA

To trigger the bug over the air, they are using the omacp app and formatting the message. The app uses the native C library “libomacp” to read configuration messages–it’s time to break open IDA and make a right reversal.

After some IDA Pro magic, they found how to build a WAP-Push message encoded by WBXML to specify Wi-Fi settings. We also noticed a WBXML parsing bug which is reported as CVE-2016-7990.

Bug Ids

They also found a remote code execution on Samsung’s S5 and below vulnerability described in the following CVEs:

  • CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver
  • CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime
  • CVE-2016-7990 – Integer overflow in libomacp.so
  • CVE-2016-7991 – omacp app ignores security fields in OMA CP message

Exposure

The scientists have witnessed the world’s shocking prevalence of the vulnerable earlier version of the phone.

samsung_sms_7.width-800

It is not that complicated, as suggested by Context IS, to turn the assault into possible ransomware, with attackers demanding that a Bitcoin installment be rendered before the payment is sent (again, through a deceptive SMS message):

Accessible fixes

Given the reversible nature of this attack (a second SMS might be sent, which restored the device to its unbroken state) a potential ransomware scenario for these bugs requires little imagination.

Samsung issued a security update fixing these vulnerabilities and, as we normally advise, users should give priority to installing such updates.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.