Share this article on:
The Israeli spyware developer may have been using unique MMS tricks to spy on smartphones.
A security researcher has uncovered a new hacking tool in the toolbox of infamous spyware maker NSO Group.
Or more accurately, a new old tool.
Cathal Mc Daid, chief technology officer (CTO) at telecoms and cyber security firm ENEA, discovered the heretofore unknown trick while going through court papers relating to litigation brought to bear against the company by WhatsApp in 2019. At the time, WhatsApp had become aware of a bug in its messaging platform that it alleges the NSO Group was using to spy on a raft of victims.
The matter is still before the courts in the US, but in the meantime, a whole lot of material was committed into evidence, including a contract between the NSO Group and Ghana’s telecom regulator.
In that document, in a list of “Features and Capabilities” the NSO Group can offer is a single entry about an “MMS Fingerprint” feature, which can apparently – without any interaction from the owner of the device – “Reveal the target device and OS version by sending an MMS to the device”.
This is a pretty amazing feature, given that no one had ever even heard of such a trick.
So, starting from the first principles, ENEA’s researchers went to work to try and find out how the NSO Group would even go about such a task.
Since the hack is supposed to work on all three major smartphone systems – Blackberry, Android, and iOS – it was thought that the hack was independent of the operating system, and therefore something to do with the MMS flow itself. Which is … complex to say the least but is essentially built around a series of stages and requests that set-up the sending and receiving of the MMS.
Because not all handsets were MMS-capable at the time, part of the process uses the SMS flow to get things started, which in turn relies upon an HTTP GET to find where the MMS content actually is.
“The interesting thing here is that within this HTTP GET, user device information is included,” ENEA’s CTO said in a blog post. It was suspected that this may be the point that targeted device information could be leaked, and the MMS Fingerprint could be ‘lifted’.”
For the next step, ENEA needed to prove that it was in fact possible, and with the help of some random SIM cards, it turns out that yes, NSO Group’s claims are likely true. Using this trick, researchers were able to recover the device’s UserAgent and x-wap-profile fields.
“Both of these can be very useful for malicious actors. Attackers could use this information to exploit specific vulnerabilities or tailor malicious payloads (such as the Pegasus [spyware made by the NSO Group and widely used to spy on journalists and human rights activists] exploit) to the recipient device type,” ENEA said. “Or it could be used to help craft phishing campaigns against the human using the device more effectively.
“We have observed before that surveillance companies, when presented with the chance to get device information, invariably do.”
Thankfully, it does not appear that the exploit is currently being taken advantage of, at least so far as ENEA – which does have some visibility into telco operations – is concerned.
Still, for anyone concerned about such an attack vector, maybe it’s best to follow ENEA’s advice and disable the automatic retrieval of MMSes on their device.
You know what they say – it’s better to be safe than sorry you’re being spied on by an Israeli spyware developer.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.