Buried among the piles of legal documents that form WhatsApp’s five-year-old lawsuit against NSO Group is a line in a contract that exposes a mobile network attack dubbed “MMS Fingerprint,” a tactic for infecting mobile devices that was used by NSO.
The technique was unearthed by a researcher at Swedish telecom and cybersecurity firm Enea, who discovered it in a single entry in a contract between NSO and the telecom regulator in Ghana. The document was created in 2015 and filed as an exhibit in 2019, but MMS Fingerprint was never written about until a report this month written by Cathal McDaid, vice president of technology at Enea.
“‘MMS Fingerprint’ is not a term that was known about in the industry,” McDaid wrote. “At the time of writing a Google search doesn’t find any other entries with this term, other than the court case itself. While we always must consider that NSO Group may simply be ‘inventing’ or exaggerating the capabilities it claims to have (in our experience, surveillance companies regularly over-promise their capabilities), the fact this was on a contract rather than an advertisement suggests that it was more likely to be for real.”
The discovery of the tactic – listed in the contract under the topic “infection assisting tools” – puts another spotlight on a company that has become the poster child for the shady world of spyware makers and whose Pegasus software has been used in countries around the world to target and track journalists, dissidents, human rights activists, lawyers, and other people and groups.
“This attack is a stark reminder of how the mobile ecosystem can continually be threatened by a poorly understood but still heavily used technology that was developed without strong security in mind,” McDaid wrote. “While the MMS fingerprint attack that NSO Group described is not extensive – only returning device info – it was useful enough to have been offered as a named attack technique to governments.”
According to the contract, MMS Fingerprint can give Pegasus user details about the target’s device, including whether it’s a BlackBerry, Android, or Apple iOS device and the version of the operating system it’s running.
All this can be done by sending an MMS (Multimedia Messaging Service) to the device, with NSO putting in the description that “no user interaction, engagement or message opening is required to receive the device fingerprint.” The company added that local mobile network operators may block the feature and that the MMS content will appear on the targeted device.
The contract is one of the exhibits used in the lawsuit filed against NSO by WhatsApp, which discovered a vulnerability in the system that runs it encrypted messaging platform that enabled attackers to install Pegasus on users’ devices without the owner’s knowledge he wrote. It was exploited via a WhatsApp call and the company blamed NSO for targeting the vulnerability, which reportedly was used in attacks.
According to McDaid, both a U.S. Appeals Court and the U.S. Supreme Court both rejected NSO appeals to stop the case.
After spotting the MMS Fingerprint attack capability in the exhibit, McDaid recreated how such an attack could work. Given that vulnerable devices used different operating systems, an OS-specific attack was unlikely, so he focused on the MMS flow.
“In looking at the MMS flow, I concluded that perhaps – d spite its name – the attack wasn’t happening over MMS, but rather via something else,” he wrote. “To explain this, we have to look at the overall MMS flow itself, which is somewhat ‘messy’, and that confusingly, sometimes the MMS flow is not using MMS.”
MMS was commercially introduced in 2002 and not all phones were compatible, so developers used a type of SMS known as binary SMS, or WSP Push, to notify the user agent in the recipient’s MMS device that an MMS message was awaiting retrieval. Even then, the message retrieval is an HTTP GET request to the URL address contained in the message and not specifically MMS.
“The interesting thing here, is that within this HTTP GET, user device information is included,” he wrote. “It was suspected that this may be the point that targeted device information could be leaked, and the MMS Fingerprint could be ‘lifted.’”
He tested this by using sample SIM cards from a Western European operator and after some trial and error was able to replicate a MMS Fingerprint attack. The HTTP GET exposed the device’s UserAgent and x-wap-profile fields, which gave details about the targeted device.
Over several months of investigation, McDaid wrote that he hadn’t seen the attack used in the wild
“We are not present in every operator in the world so it may be used, but we did not observe any of the known surveillance company sources we monitor using this technique,” he wrote. “This may not be unexpected – as the contract document is from 2015, and attackers may no longer use this method.”
He outlined several steps users can take to wipe the “fingerprints” off their devices, but warned that “companies like NSO group have an extensive track record of executing attacks against mobile phone users for many years, and Mobile Operators should evaluate their protection in place against this and other Binary SMS attacks.”
The Biden Administrations has been targeting spyware vendors – not only NSO but other companies, such as Negg Group, Cy4Gate, Cytrox, and Intellexa – including earlier this month threatening visa restrictions on foreign individuals who’ve been involved in misusing such software. Government agencies also have been banned from using Pegasus and similar commercial tools.
Cybersecurity vendors also are pushing back at spyware, with Kaspersky researchers last month outlining a method for detecting the presence of spyware in iOS devices.
In its fourth-quarter Adversarial Threat Report, Meta said it took steps to disrupt campaigns using spyware from eight firms – Cy4Gate; RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries – that targeted iOS, Android, and Microsoft devices with malware that could gather device information, location, photos, contacts, social media, and messaging apps and use a device’s microphone, camera, and screenshot functions.
The campaigns targeted such companies as Facebook and Instagram – both part of Meta – X (formerly Twitter), Google and its company YouTube, TikTok, and Skype, LinkedIn, and GitHub, which are owned by Microsoft.
Recent Articles By Author