LTE 4G Networks Put Androids At Risk of Overbilling and Phone Number Spoofing

An anonymous reader writes: Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the current status of LTE (Long-Term Evolution) mobile networks, which are plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged. The vulnerabilities were discovered by 8 scientists which documented them in their research.

WAAAAY Overblown!

[wolrahnaes]

Here's a link to a page that actually describes the "vulnerabilities" they found: http://www.kb.cert.org/vuls/id...

All of them only apply to Voice over LTE environments, which are different from traditional mobile phone networks in that the LTE network is purely IP traffic so it's effectively a voice over IP call using standard protocols like SIP the same as an internet-based VoIP service would.

As someone who's been working in VoIP for over a decade I just have to laugh at this crap.

Let's start:

The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.

Translation: A VoIP app doesn't require phone permissions if it's not accessing any of the OS' phone subsystems. No shit, sherlock.

The only way this could result in billing or denial of service is if the carrier was not properly authenticating the SIP traffic and was just assuming that anything from that phone aimed at the right IP address must be a legit call. That's 100% a carrier fault, not any flaw with the system. Do they propose that Android should be specifically watching for SIP traffic and require an app have the phone permission to be able to send it?

Apple reports that iOS is not affected by this issue.

I smell bullshit, but I don't have an iOS device to confirm. I doubt Apple requires that VoIP clients have special permissions over anything else.

Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.

This is carrier logic if I've ever heard it. Using the data service I pay for to send IP traffic (which happens to contain voice or video) directly to another user on the data service they pay for is somehow a vulnerability? Again I'm not sure how this is platform-specific.

Spoofing numbers again would require that the carrier have their network configured in a stupidly open and trusting fashion. None of my customers can spoof numbers unless I allow them to (hint: I don't) and it wasn't rocket science to set things up that way.

Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.

Repeating themselves here, while this time acknowledging that it's the network's problem.

Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.

Well at least this time they blame the network from the start. I wouldn't limit users to a single session, that restricts 3/4 way calls, but reasonable limits are good there. Still not sure what would be wrong with endpoints directly contacting each other via the data service they're paying for.

I have no doubt that some carriers' networks are truly insecure enough to allow the spoofing and fraudulent usage described here, but that's entirely down to their own stupidity because none of these things are hard to prevent at the network level, even the ones that aren't actual problems.

That's

[jlv]

The Softpedia article claims
"Only Android devices are affected, iOS users are safe"

The paper cited only describes the vulnerabilities in terms of being researched on Android. Nowhere does it say that iOS cannot have these problems.

I didn't even see anything to this effect in the CERT postings.

Re:Android wins on openness and marketshare

[BronsCon]

So they broke the pattern for a single release. Good start, let's see if they keep it up. The article you linked to even agrees with me regarding Apple's history of failing support for older iOS devices; if you read the very first sentence, you'd realize that. Here it is, for reference:

In theory, the release of a new OS version from Apple is supposed to be a reason to cheer, but if you own anything but the latest hardware, that’s rarely been the case.

And it's not like I don't have any iOS devices in my home, through which I might actually know what I'm talking about. The Gen1 iPad, iPad Air, iPad Air 2, iPhone 6 Plus (along with the iPhone 5 it replaced, the iPhone 4 that replaced, and the iPhone 3G that replaced) surely count for nothing. All of the iPads have been mine, while all of the iPhones have been my wife's, though the 1st gen iPad started out as hers and I did actually use the 3G for a few months.

Nope, no experience with iOS devices at all here. None whatsoever. Except for the past 5 and a half years. Of 8 years they've been on the market. So yeah, I might not have been an iOS user from day one, but I'm not unfamiliar with the platform by any measure.

Save your weak arguments for Android zealots.

Re:LOL, "true" Android

[BronsCon]

Open, that's what all you nerds brag about

Where/when have I done this, so as to be lumped in with that group?

but then you complain there's only one Android made by Google that nobody even buys and we should ignore all the insecure, unsupported versions that 98% of people own?

I see, you're just trying to build a strawman. Try this on for size.

It is not the fault of Google or Android that manufacturers do not support their devices. Don't like Samsung's device support? Blame Samsung and don't buy Samsung anymore. Don't like LG's device support? Blame LG and don't buy LG anymore. Don't like HTC's device support? Blame HTC and don't buy HTC anymore. I could sit here and list every manufacturer, but I'm sure you get the point by now. Google does not have the same shitty support for the devices they sell directly; their support is actually quite good. That 98% of the population buys from manufacturers that just don't give a shit does not negate that 2% of us have brains and prefer to use them.

Logic fail!

Wow, most people who make those don't manage to identify them before posting. Good on you.