A single sentence in a contractual agreement between the NSO Group and the Ghanaian telecom regulator has brought to light a heretofore undisclosed mobile network attack known as the “MMS Fingerprint.” This attack is believed to have been operational across all major smartphone platforms, including Blackberry, Android, and iOS, suggesting it is an OS-independent threat tied to MMS protocols.
WhatsApp Vulnerability and Legal Battle with NSO Group
A major security breach was discovered in WhatsApp in May 2019, allowing attackers to implant Pegasus spyware onto users’ phones. The exploit was activated through a WhatsApp voice call and could take control of a device without alerting the user. Subsequently, WhatsApp initiated legal action against NSO Group in October 2019, allegations and objections that have been continuously upheld in the US courts despite NSO’s attempts to dismiss the case.
Contractual Details Shed Light on the Attack’s Mechanism
While many details about NSO’s operations have been openly discussed, specific information from the NSO reseller contract—including a feature named “MMS Fingerprint”—had not been publicly analyzed. This tool reportedly could reveal device and OS details through a simple MMS, requiring no user interaction. The technique involved an SMS component leading to an HTTP GET request, which could transmit device information, potentially during the MMS retrieval process.
Researchers at ENEA, a Swedish telecom security firm, were able to demonstrate the feasibility of capturing User Agent and x-wap-profile data from devices using this method. These fields provide device identification and a profile of the phone’s capabilities, which attackers could exploit in crafting targeted attacks or phishing campaigns.
The research team managed to cloak the operation, ensuring that the MMS content remained hidden on the target device by using a silent SMS and manipulating message settings. Despite the demonstrated efficacy of the technique, there have been no confirmed instances of its exploitation in the wild.
For protection against potential attacks utilizing this vulnerability, mobile users are advised to disable automatic MMS retrieval, and mobile operators are encouraged to block internet connections through MMS ports.
