Boffins break Samsung Galaxies with one SMS carrying WAP crap

S4 and S5

Composite image. Image by Syda Productions https://www.shutterstock.com/g/Syda+Productions

A single TXT message is enough to cause Samsung S5 and S4 handsets to return to factory settings, likely wiping users' data along the way. And because the attack exploits Android's innards, other vendors' handsets are at risk.

The vulnerabilities, thankfully patched by Samsung, means attackers can send WAP configuration messages that will be blindly applied by the affected devices once received without the need to click on links.

Attacks that send affected devices into boot loops can also be reversed and set to stable by a good configuration SMS, opening avenues for ransomware attacks, Contextis hackers Tom Court (@tomcourt_uk) and Neil Biggs say.

Newer Samsung Galaxy S6 and S7 models will not blindly accept the messages sent over the 17 year-old protocol.

The pair of researchers have penned a three part series explaining the attack surface of Android SMS and the WAP suite.

Court and Biggs combined two bugs to produce the denial of service attack that forces unpatched and non-rooted phones to factory reset.

Users of rooted Samsung devices can enter the adb settings to delete the malicious configuration file default_ap.conf.

"The complexity of exploiting an Android device in recent years has escalated to the point that more often than not a chain of bugs is required to achieve the desired effect," Court and Biggs say.

"This case is no different and we have shown here that it took two bugs to produce a viable attack vector, combined with some in-depth knowledge of the bespoke message format."

The pair explain the attack in detail here finding that no authentication is used to protect OMA CP text messages.

They also found a remote code execution on vulnerability on Samsung devices on the S5 and below, detailed in the following CVEs:

  • CVE-2016-7988 – No Permissions on SET_WIFI Broadcast receiver
  • CVE-2016-7989 – Unhandled ArrayIndexOutOfBounds exception in Android Runtime
  • CVE-2016-7990 – Integer overflow in libomacp.so
  • CVE-2016-7991 – omacp app ignores security fields in OMA CP message

"Given the reversible nature of this attack, it does not require much imagination to construct a potential ransomware scenario for these bugs," the pair say.

"Samsung have now released a security update that addresses these among other vulnerabilities and, as is our usual advice, it is recommended that users prioritise the installation of these updates."

They left discovery of how the bugs apply to other phones as an exercise for other hackers.

Vulnerabilities were reported to Samsung in June, fixed in August, and patched on 7 November with disclosure made overnight. ®


Biting the hand that feeds IT © 1998–2017