According to ZDNet, issues with protocols used by AT&T and Verizon associated with providing 4G LTE connectivity to Android devices could put millions of phones at risk of eavesdropping, over-billing and data spoofing. The alert was raised by the public vulnerability database at Carnegie Mellon University (CERT) on Friday.
When a LTE device sends data across a network, it begins by negotiating with the provider using the Session Initiation Protocol (SIP). The researchers have found a way to exploit this protocol, tricking the network into thinking the device trying to connect is that of the attacker’s and allowing them to spoof a phone number to call or text from.
The hack would also allow the attacker to gain extra bandwidth without incurring any additional cost. By establishing multiple sessions at the same time, requesting extra bandwidth on them all and then constantly requesting large volumes of data from the provider, the hacker could easily execute a distributed-denial-of-service (DDoS) attack, taking the network offline.
Several issues in Android mean phones do not always properly authenticate every SIP message and sometimes refuse to honour the correct permissions model for current LTE networks. This could allow an attacker to initiate a direct peer-to-peer connection between phones on a wireless network, allowing them to silently pull data off a device or spoof its phone number to generate money with premium-rate phone lines. These flaws are not present in Apple’s iOS operating system so the attack cannot be completed with an iPhone.
CERT wrote in its report: “A remote attacker on the provider’s network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls. A malicious mobile app for Android may be able to silently place phone calls without the user’s knowledge.”
Every version of Android to date is believed to be at risk. Google has acknowledged the issue and said a fix will be released as part of its next monthly security update in November but this will only immediately be available for its own Nexus devices. It will be up to manufacturers to release the patch for their own phones so it will be some time before handsets are secured and some will inevitably never be fixed.
The attack is known to work on the wireless networks of AT&T and Verizon. T-Mobile’s U.S. service was also affected at the time when the researchers conducted their testing but the provider has apparently “resolved” the issue since. AT&T and Verizon have not said how they intend to remedy the situation and ensure their LTE services are kept protected.
LTE is based around packet switching technology which is faster than the older circuit switching but can create new entry points for attacks on networks. CERT said it is “unaware of a practical solution” to easily fix the vulnerabilities and it will be up to each carrier and handset manufacturer to ensure that the SIP standards are met.
