A newly found security flaw could be affecting every Android device on AT&T or Verizon’s wireless network, according to an advisory posted by the Carnegie Mellon University CERT database. The vulnerability in question targets LTE wireless networks and takes advantage of the way some US carriers have implemented the technology on their respective networks. Users on T-Mobile network are reportedly not affected.
A group of South Korean researchers, on Friday, reported about a vulnerability that puts a large pool of Android devices -- every version of Android including Marshmallow -- in the United States at risk. If exploited, attackers could circumvent Session Initiation Protocol (SIP), often used in voice calls and instant messaging, to gain access to a victim's device. The attackers could then initiate the denial of service (DDoS) attacks on a wireless network. The access to a victim's network opens door to a number of sophisticated and serious attacks such as bypassing the VoLTE's accounting system to freely use the bandwidth, and wiretapping the victim's calls and messages.
The security flaw largely lies in the way LTE technology works. LTE uses packet switching instead of older circuit switching to transfer data across the Internet. Packet switching is more network and cost efficient, and also more reliable. Furthermore, the mechanism makes it possible for the system to detect if a network route is faulty and automatically finds another way to send the data. However, it is also prone to a number of new vulnerabilities.
"[...] We considered security issues and possible attacks related to VoLTE call service after legitimate IMS registration. However, an attacker can also utilize a SIP REGISTER message to perform other attacks. If there are vulnerabilities in the registration phase, an attacker can control all access to a victim’s VoLTE service. For example, she can carry out an imposter attack or even wiretapping,”
A spokesperson for T-Mobile acknowledged the existence of the aforementioned security flaw, and told ZDNet that they have resolved the issue. As per the researchers, Apple’s iPhones aren’t affected with this vulnerability. A Google spokesperson told the publication that they would roll out a fix for the said flaw for Nexus devices in their monthly security patch in November.
Source: CERT via ZDNet | Android logotype printed on paper and placed in the sand image by Shutterstock