August 07, 2014, 11:38 AM — Vulnerabilities found in remote management software that carriers insist be installed on smart phones and other mobile-enabled devices they sell are likely to put many devices at risk of compromise for some time to come.
Dangerous security flaws were discovered in widely deployed client implementations of the OMA Device Management (OMA-DM) protocol that allows carriers to remotely deploy firmware updates, change device data connection settings, install applications, lock and wipe devices and more.
OMA-DM capabilities vary from carrier to carrier, depending on the features they choose to enable. The technology itself is developed by third-party companies and built by manufacturers into devices that are meant to sold through those carriers.
It's not just mobile phones that have this technology built-in, but other devices with mobile connectivity as well, such as laptops, mobile hotspots and an increasing number of embedded devices that fall into the Internet of Things category, including those in cars.
Mathew Solnik and Marc Blanchou, two scientists at Denver-based security firm Accuvant, have analyzed the OMA-DM implementations in Apple, Android and BlackBerry devices sold through carriers in the U.S. and other countries around the world. They found multiple vulnerabilities that could allow attackers to hijack the remote management functionality and take control of devices that have this technology.
While the two researchers spoke about the issues last week, on Wednesday they released details about the specific vulnerabilities they identified during a presentation at the Black Hat security conference in Las Vegas.
Their research focused primarily on an OMA-DM client implementation from a company called Red Bend Software that according to them is installed on 70 to 90 percent of carrier-sold mobile phones in the world. The researchers estimate, based on public statistics, that around 2 billion devices have some kind of OMA-DM software installed.
Controlling the Red Bend client software requires authentication, is done over HTTPS (HTTP Secure) and can be triggered through special WAP push messages, the researchers said. However, the authentication mechanism uses the device IMEI (International Mobile Station Equipment Identity) number and a static secret token shared by all devices on a particular carrier, both of which can be easily acquired by an attacker, they said.
Furthermore, Solnik and Blanchou found ways to bypass the HTTPS requirement. One method takes advantage of a vulnerability in the SSL certificate validation code that accepts any valid certificate for any hostname. Another involves tricking devices into using HTTP-only test servers specified in the software code and impersonating those servers.