The Israeli spyware developer may have been using unique MMS tricks to spy on smartphones.
A security researcher has discovered a new hacking tool in the toolbox of infamous spyware maker NSO Group.
Or more accurately, a new old tool.
Cathal Mc Daid, chief technology officer (CTO) of telecommunications and cybersecurity company ENEA, discovered the previously unknown hack while reviewing court documents related to litigation brought against the company by WhatsApp in 2019. At the time, WhatsApp had noticed a bug in its messaging platform that it alleges NSO Group was using to spy on a series of victims.
The matter is still before the US courts, but in the meantime, a large amount of material has been tendered into evidence, including a contract between NSO Group and Ghana’s telecommunications regulator.
In that document, in a list of “Features and capabilities” that the NSO Group can offer there is a single entry about an “MMS Fingerprint” feature, which apparently can, without any interaction on the part of the device owner, “Reveal the target device and OS Version by sending an MMS to the device.”
This is quite a surprising feature, given that no one had heard of such a trick.
So, starting from first principles, ENEA researchers set to work trying to figure out how the NSO Group could accomplish such a task.
Since the hack is supposed to work on all three major smartphone systems (Blackberry, Android, and iOS), the hack was thought to be independent of the operating system and therefore had something to do with the MMS stream itself. . Which is… complex to say the least, but it’s essentially based on a series of stages and requests that set up the sending and receiving of the MMS.
Because not all phones supported MMS at the time, part of the process uses the SMS stream to start, which in turn relies on an HTTP GET to find where the MMS content actually is.
“The interesting thing here is that within this HTTP GET, the user’s device information is included,” ENEA’s CTO said in a blog post. It was suspected that this could be the point at which information could be leaked from the target device and the MMS fingerprint could be ‘lifted.’
For the next step, ENEA needed to prove that it was indeed possible, and with the help of some random SIM cards, it turns out that yes, NSO Group’s claims are probably true. Using this trick, the researchers were able to recover the UserAgent and x-wap-profile fields from the device.
“Both of these things can be very useful to malicious actors. Attackers could use this information to exploit specific vulnerabilities or tailor malicious payloads (such as Pegasus [spyware made by the NSO Group and widely used to spy on journalists and human rights activists] exploit) to the type of recipient device,” ENEA said. “Or it could be used to help craft phishing campaigns against the human using the device most effectively.
“We have observed before that surveillance companies, when presented with the opportunity to obtain information from the device, invariably do so.”
Fortunately, it does not appear that the exploit is currently being exploited, at least as far as ENEA is concerned, which has some visibility into telecom operations.
Still, for anyone concerned about such an attack vector, it may be best to follow ENEA’s advice and disable automatic MMS recovery on your device.
You know what they say: it’s better to be safe than sorry if you’re being spied on by an Israeli spyware developer.