Android phones running on AT&T and Verizon's LTE networks are vulnerable to attack

Android phones running on AT&T and Verizon's LTE networks are vulnerable to attack
Thanks to an issue with the Session Initiation Protocol (SIP), employed for voice calls and instant messages over LTE, those rockin' an Android phone running on AT&T or Verizon, are vulnerable to being attacked. This is the conclusion that appears on an advisory posted by Carnegie Mellon University. The latter based its paper on a report by Korean academics and security researchers. AT&T and Verizon users could be the victims of eavesdropping and data spoofing. While T-Mobile customers were also mentioned as being vulnerable, the carrier says that it has taken care of the issue.

Part of the problem lies from Android's lack of an "appropriate permissions model" for LTE networks. A malicious app can be used to have your phone silently dial premium numbers (which could end up padding your bill by a large dollar amount), and a hacker can obtain bandwidth to make video calls with no extra charge. If the exploit isn't patched, attackers can use a peer-to-peer network to steal personal content from your phone. And by creating multiple SIP sessions simultaneously, a DOS attack can be made against a network.


Google plans on closing this hole with its November monthly security update for Nexus phones. AT&T and Verizon will have to fix the issue on their own networks. No word yet from the two largest U.S. carriers on how they intend to handle this problem.

source: ACM via CERT, ZDNet

FEATURED VIDEO

9 Comments

1. Subie

Posts: 2260; Member since: Aug 01, 2015

Once again you need to have a "malicious app" on your phone for it to be compromised. Wonder if any apps on the Play Store have this.

2. gazmatic

Posts: 807; Member since: Sep 06, 2012

Hackers can also attack iphones and androids using radio waves through siri and google now. This is why we need blackberry and windows phone. wp is secure now because it has almost no market share and is locked down. maybe windows 10 will open it to more hacking but as of right now it is the most secure os of the three. Blackberry is known for security. So I really want to know how they will handle all of these vulnerabilities inherent to android. This is why I want the priv to do well. More competition, more choice.

7. tacarat

Posts: 850; Member since: Apr 22, 2013

These sorts of things always get found, even on "locked down" computer systems. It's more telling of a platform's security on how fast it's fixed, not the fact it was discovered at all. Bugs have been found years after they were introduced. Some are just found quicker than others. I agree about Priv. if Blackberry does a good job about updates then it'll be what they need to get back in the race. I'm not much about BBs themselves, but all else being equal I'll take fast security updates and long term support.

3. Awalker

Posts: 1957; Member since: Aug 15, 2013

People look at these types of articles and think it's a bad thing but it's Google's Android patching system at work. Google encourages people to examine Android's source code and find vulnerabilities so they can patch it. It's in their best interest to have Android as secure as possible out of box. They still give you the option to compromise your own security but you do so at your own risk.

4. MrElectrifyer

Posts: 3960; Member since: Oct 21, 2014

Requires an app to be installed to take advantage of the vulnerability? Would be blocked if you think before you click...

5. Mxyzptlk unregistered

First Stagefrightgate and now this? As mobile usage rises, the threat of these attacks and malware rises.

6. hafini_27

Posts: 942; Member since: Oct 31, 2013

Most of these vulnerabilities require ppl to download some shady apps from elsewhere. Best just stick to the official App store.

8. tokuzumi

Posts: 1759; Member since: Aug 27, 2009

I keep my phone in a faraday cage. The signal sucks, but I'm protected. Also, I have a Nexus, so this shouldn't be an issue for me.

9. isprobi

Posts: 797; Member since: May 30, 2011

Always new vulnerabilities for Android. It seems scary but how many really get hacked with these? Maybe I have been hacked but there is no evidence of it so far.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.