The Computer Emergency Response Team (CERT) at Carnegie Mellon University posted a vulnerability note about multiple vulnerabilities in voice-over-LTE implementations that could potentially compromise the security and privacy of Android users on LTE networks of major U.S. wireless carriers. All Android versions—reportedly even Marshmallow, Google’s newest Android 6.0 – are vulnerable when being used on Verizon Wireless and AT&T; T-Mobile claimed to have “resolved” the issue.
Long Term Evolution (LTE), also referred to as 4G, shifted “the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet.” According to a recent research abstract, “This dramatic shift opens up a number of new attack surfaces.” The authors of the research paper are the first to “analyze security issues on the VoLTE network.” The team analyzed the “VoLTE network of five operators in the United States and South Korea.”
CERT reported that the use of packet switching and the IP protocol – particularly the Session Initiation Protocol (SIP) protocol – may allow for new types of attacks not possible on previous-generation networks.
The impact is that “a remote attacker on the provider’s network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls. A malicious mobile app for Android may be able to silently place phone calls without the user’s knowledge.”
Each provider and implementation of LTE may be vulnerable to one or more of the specific vulnerabilities noted by CERT. These flaws included incorrect permission assignment for critical resource: Android OS “does not have appropriate permissions model for current LTE networks,” which could result in “overbilling or lead to denial of service.”
Improper access control is also listed: “Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.” Under “improper authentication,” CERT wrote, “Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.”
Regarding session fixation, CERT reported, “Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.”