February 16, 2024 at 10:03AM
A contract between NSO Group and Ghana’s telecom regulator suggests a new infection technique, “MMS Fingerprint,” allowing device identification without user interaction. Enea tested and confirmed this method, raising concerns about potential malicious use. While not seen in the wild, it poses potential security risks. Operators and subscribers can take preventive measures.
From the meeting notes, it is clear that the existence of a previously unknown infection technique using MMS fingerprinting has been suggested by a contract between spyware firm NSO Group and the telecom regulator of Ghana. The technique, as claimed by NSO, can reveal target device and operating system details without user interaction, and can potentially be used against various mobile platforms.
The investigation by Cathal McDaid from Enea revealed that the MMS flow is complex, involving a mix of MMS and HTTP GET requests to retrieve messages, allowing for potential leakage of targeted device information. Enea also successfully demonstrated a method to make the target device perform a GET to an URL on a server it controlled, thereby exposing the device’s UserAgent and x-wap-profile fields, which identify the device’s OS and capabilities. This method, termed MMS fingerprinting, poses a potential infection route for malicious actors, enabling tailored attacks and phishing campaigns.
While there is currently no evidence of this technique being actively used, it is a workable method that could simplify further attacks. However, it can be mitigated by local mobile networks and subscribers by disabling MMS auto-retrieval on their handsets. Despite its potential for abuse, it is essential to highlight that there is no indication of active exploitation using MMS fingerprinting.
The meeting notes also relate to previous incidents involving NSO Group’s use of zero-click exploits and potential legal actions against the company.
In summary, the discovered MMS fingerprinting method, though unverified in active use, presents a potential security concern that requires monitoring and possible mitigation measures.