Users of Android-based LTE devices on AT&T and Verizon in the USA are said to be under threat of malicious attacks owing to a vulnerability found in the Session Initiation Protocol (SIP), which is used for voice calls and instant messaging. The security threat reportedly leaves users susceptible to loss of privacy through eavesdropping, as well as over-billing through data spoofing. According to security researchers, Android as an operating system “does not have appropriate permissions model” for LTE networks, which is what leaves them most vulnerable to this latest security scare. The issue was first brought to light by security researchers and academics in South Korea. Carnegie Mellon then published an advisory on its public vulnerability database (CERT) on Friday, based on that research.
The security researchers who have been studying this rather disconcerting security vulnerability, have already made it clear that the issue needs to treated on a war footing, so as to lay out a “comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network”. Researchers at CERT however, were unsure of what can be done at this point in time to stop the issue from becoming a security nightmare for the networks, for Google, for device makers and indeed – for the customers. While the researchers claimed that devices on T-Mobile and Verizon were most at risk from peer-to-peer attacks, AT&T apparently is also believed to suffer from the same issues, according to the researches, seeing as the carriers have a very similar implementation of LTE on their networks. T-Mobile however, has claimed that it has already been able to resolve all outstanding issues, meaning devices on its network are not under threat anymore, if the carrier is to be believed.
Coming to the threat itself, while all versions of Android are said to be affected by the latest vulnerability, most of the issues found are network dependent, as already mentioned. Researchers have laid out a number of scenarios as to how the attacks can be carried out, including unauthorized making of phone calls, sending of texts and using of mobile data through surreptitiously installed apps on an unsuspecting victim’s phone. The security hole, left unplugged, can also use a peer-to-peer network to retrieve data from a victim’s phone, conduct targeted eavesdropping on somebody and even carry out a DoS (Denial of Service) attack on the network in theory, by establishing multiple SIP sessions at once, thereby eating up bandwidth and clogging up the network. While a Google spokesperson clarified that the company will roll out a patch for Nexus smartphones and tablets as part of its November monthly security update, there was nothing official forthcoming from either AT&T or Verizon on the issue, as of press time. There is no clarity either about when patches might start rolling out for non-Nexus devices from manufacturers and carriers.