Latest in Gear

Image credit: Chris Velazco/Engadget

Vulnerability lets text messages steal emails from Android phones

Devices from Samsung, LG, Huawei and Sony are affected.
273 Shares
Share
Tweet
Share

Sponsored Links

Chris Velazco/Engadget

Bogus text messages aren't just being used to send you to malicious websites or crash your phone -- in some cases, they can hijack your emails. Check Point Research has discovered a vulnerability in phones from Huawei, LG, Samsung and Sony that lets attackers use custom SMS to intercept all email traffic on target devices. The attack uses the common Open Mobile Alliance version of over-the-air provisioning, a carrier technique for deploying settings to new phones, to access emails. The attacks require different methods depending on the phone and available info (such as IMSI numbers and requesting PIN codes), but the result is the same: intruders trick users into compromising their phones through messages that pose as network settings changes.

The problem stems in part from the way the provisioning works. While it supports provisioning through relatively secure methods like PIN codes, it doesn't require them. And it's usually down to individual vendors to decide how to implement this format rather than platform creators like Google, leading to inconsistent security. Affected Samsung devices, for instance, don't need any authentication at all to fall victim.

This variety also affects how secure your device is. Some vendors have been better at addressing the problem than others. Samsung fixed the flaw through a May update, while LG released its patch in July. Huawei, however, said it wouldn't deliver interface fixes until the next wave of Mate and P-series phones. You might have to wait weeks or months to get a solution, if you get one at all. Sony, meanwhile, reportedly "refused to acknowledge" the flaw and would only say that it followed the Open Mobile Alliance spec. Your Xperia might remain vulnerable unless there's a change of heart.

This wouldn't be as much of an issue if it weren't for the scale of the issue and the relative ease of launching attacks. Combined, the vendors represent more than half of all Android phones. And all you need to instigate the attack is a GSM modem (or phone in modem mode) and basic software to compose the messages. You can protect yourself by refusing these messages, but this could be a significant problem unless more Android vendors fall in line.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
273 Shares
Share
Tweet
Share

Popular on Engadget

NordVPN admits to 'isolated' server breach in Finland

NordVPN admits to 'isolated' server breach in Finland

View
Mitt Romney has a ridiculous Twitter alias: Pierre Delecto

Mitt Romney has a ridiculous Twitter alias: Pierre Delecto

View
Netflix's 'The Crown' season 3 trailer shows off the new cast

Netflix's 'The Crown' season 3 trailer shows off the new cast

View
Hyundai is building cruise control that mimics your driving style

Hyundai is building cruise control that mimics your driving style

View
A star died violently and left behind this 'fluffy' ball

A star died violently and left behind this 'fluffy' ball

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr