Israeli NSO Group Suspected of “MMS Fingerprint” Attack on WhatsApp

The latest report from Swedish telecom security firm Enea sheds light on security vulnerabilities within the widely used messaging platform, WhatsApp.

NSO Group, an Israeli spyware firm, is suspected of exploiting a novel “MMS Fingerprint” attack to target unsuspected users on WhatsApp, exposing their device information without needing user interaction.

Swedish telecom security firm Enea reports that the Israeli NSO Group, targeted journalists, human rights activists, lawyers, and government officials with a novel MMS Fingerprint attack by exploiting a vulnerability in WhatsApp.

The report that the company shared with on Thursday 15, 2023, WhatsApp discovered a vulnerability in its system in May 2019, allowing attackers to install Pegasus spyware on users’ devices. The flaw was then exploited to target government officials and activists globally. WhatsApp sued NSO Group for this exploitation, but appeals failed in the US appeal court and Supreme Court.

The attack, reportedly used by NSO Group, was discovered in a contract between the Israeli agency’s reseller and the telecom regulator of Ghana, which can be viewed in lawsuit documents here (PDF).

Enea launched an investigation to find out how an MMS fingerprint attack occurs. They discovered that it could reveal the target device and OS version without user interaction by sending an MMS.

The MMS UserAgent, a string that identifies the OS and device (such as a Samsung phone running Android), can be used by malicious actors to exploit vulnerabilities, tailor malicious payloads, or craft phishing campaigns.

Surveillance companies often request device information, but UserAgent may be more useful than IMEI. It’s important to note that MMS UserAgent is different from browser UserAgent, which has privacy concerns and changes.

The problem, according to Enea’s report, was not in the Android, Blackberry, or iOS devices but in the complex, multi-stage MMS flow process. The MMS flow examination suggested this was launched possibly through another method involving binary SMS.

For your information, MMS standards designers worked on a way to notify recipient devices of an MMS waiting for them without requiring them to be connected to the data channel. MM1_notification.REQ uses SMS, a binary SMS (WSP Push), to notify the recipient MMS device’s user agent that an MMS message is waiting for retrieval.

The subsequent MM1_retrieve.REQ is an HTTP GET to the URL address, including user device information, suspected to be leaked and potentially lifted the MMS fingerprint.

Researchers obtained sample SIM cards from a randomly selected Western European operator and successfully sent MM1_notification.REQs (binary SMSs), setting the content location to a URL controlled by their web server.

The target device automatically accessed the URL, exposing its UserAgent and x-wap-profile fields. A Wireshark decode of the MMS notification and GET revealed how an attacker would execute an “MMS Fingerprint” attack, demonstrating it was possible in real life.

Israeli NSO Group Suspected of "MMS Fingerprint" Attack on WhatsApp
Enea’s report outlines the stages in an MMS flow and provides insight into the initial attack notification sent to the target. (Screenshot: ENEA)

The attack highlights the ongoing threat to the mobile ecosystem. Binary SMS attacks have been steadily reported over the last 20 years, highlighting the need for mobile operators to evaluate their protection against such threats.

Expert Commentary

For detailed insights into the report, we reached out to Javvad Malik, lead security awareness advocate at KnowBe4 who warned that, Unlike previous methods, this attack doesn’t require user interaction, posing a significant concern for users’ security. The targeting of journalists, activists, and officials highlights the misuse of technology for surveillance and oppression. Platforms like WhatsApp must prioritize security as the foundation of their services.

“The saga of the NSO Group and its controversial exploits offers another chapter with the revelation of the “MMS Fingerprint” attack. At the heart of this revelation is a stark reminder of the ever-evolving cybersecurity threats, demonstrating not just the sophistication of threat actors, but their relentless pursuit to leverage vulnerabilities.

The tactical evolution from requiring user interaction to achieve compromise—such as the unfortunate click on a malicious link—to now being able to extract valuable information through seemingly benign MMSs, underlines a significant shift. It’s concerning, to say the least, that users can be targeted without any user interaction.

The targeting of journalists, activists, and officials is particularly egregious, highlighting a dark side of technological advancements where tools designed to connect and empower can also be twisted into instruments of surveillance and oppression. For organisations like WhatsApp and entities involved in digital communication, the imperative is clear: Security cannot merely be a feature; it must be the very foundation upon which platforms are built and maintained.

In the broader context, incidents like the “MMS Fingerprint” attack are reminders that security cannot remain static and needs to continually evolve and build more resilient and secure systems.”

Javvad Malik – KnowBe4

To prevent the attack, disabling MMS auto-retrieval on mobile devices can help, but some devices may not allow modification. On the network side, filtering Binary SMS/MM1_notification messages can be effective. If a malicious binary SMS message is received, it is essential to prevent messages from connecting to attacker-controlled IP addresses.

  1. Israeli spyware hacked phones of journalists globally
  2. iShutdown Tool Detects Pegasus Spyware on iOS Devices
  3. Fake WhatsApp clone aim at crypto on Android and Windows
  4. WhatsApp OTP Scam Allows Scammers to Hijack Your Account
  5. iPhones of State Dept officials hacked by NSO Pegasus spyware
Related Posts