NSO’s “MMS Fingerprint”: Zero-Click Phone Hack?

In the documentation of the current legal battle between WhatsApp and the NSO Group, a firm specializing in espionage software, a hint at a previously unknown method of infection has been revealed. The contract between NSO and Ghana’s telecommunications regulator mentions a technology called “MMS Fingerprint,” classified as an aid in infection. According to NSO, this method allows for the identification of the device and operating system of the target without any need for interaction or message opening by the user and can be deployed against devices running Android, Blackberry, and iOS.

The “MMS Fingerprint” technology piqued the interest of Cathal McDaid, Vice President of Technology at the Swedish company Enea, specializing in telecommunications security, who decided to delve deeper into this method. McDaid noted the disorderly process of MMS exchange, which sometimes does not use the MMS protocol itself. It was discovered that during the receipt of an MMS message through an HTTP GET request to a URL contained in the pending message, information about the user’s device is transmitted. This process allows for the capturing of an MMS fingerprint.

Enea conducted tests and managed to compel a target device to execute a GET request to a URL on a server under their control. This request revealed the UserAgent and x-wap-profile fields of the device, indicating the operating system and model of the device, as well as the UAProf (User Agent Profile), describing the mobile phone’s capabilities. Enea was able to conceal this process by modifying the binary SMS element to a silent SMS, thus displaying no MMS content on the target device.

While the description presented suggests a potential pathway for infection rather than the specific exploitation of device vulnerabilities, the information obtained could simplify further attacks. These data might be used by malefactors to exploit specific vulnerabilities or adapt malicious programs to the recipient’s device type, or for more effective phishing campaign organization.

Although this remains theoretical, Enea demonstrates that the method of “MMS fingerprints” is functional. While no evidence of its use “in the wild” has been found, the company notes its lack of access to data from all global operators. This method could be blocked by local mobile networks, and subscribers could disable automatic MMS reception on their devices to protect against other MMS exploits, such as Stagefright.