Slashdot Mirror
LTE 4G Networks Put Androids At Risk of Overbilling and Phone Number Spoofing
An anonymous reader writes: Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the current status of LTE (Long-Term Evolution) mobile networks, which are plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged. The vulnerabilities were discovered by 8 scientists which documented them in their research.
I don't expect everyone to have perfect English (I don't), but editors should do some proof reading before they post articles. The vulnerabilities were discovered by 8 scientists *who* documented them in their research. or better yet: These vulnerabilities were discovered and documented by 8 scientists as part of their research.
I have for a while now been tempted to leave Android and I've decided to do so on November 15, which is the day AT&T releases the new Windows Phone 950. Call me mad, but I'm tired of the Android shenanigans, the balkanization between carriers, and even devices within a single carrier. I've got a Nexus 6 at the moment, and it still does not have Marshmallow. I want to wait for the OTA rather than flash it myself, but come November 15, this device is gone.
So, if it's us who can get ripped off, they'll do nothing to fix this. If it's them who can get ripped off, they'll try to get lawmakers to outlaw that so they don't have to do anything to fix it.
Should we continue to expect telcos to be inept and indifferent to this, and not give a crap if their customers are getting ripped off?
Lost at C:>. Found at C.
Let me guess... you didn't read the paper. Oh look, my guess was right while yours were not.
To be fair, that wasn't actually a guess. Every assumption you made was wrong, so it's pretty obvious that you didn't bother looking at the paper to see if you were even close to correct.
The security issues are not even needed to get over-billed in Canada. With stock Android 5.1 or above (including the latest Marshmallow), use on either of the two main budget carriers can result in roaming data charges even when roaming data is disabled.
In seams, because of a programming decision as to how Android tells if it is roaming inside of a shared NVNO region and the odd decision of these two carriers to mimic in network names when using partner carriers the phone will ignore the users selection to not use roaming data and thus incur charges in the range of $1/MB.
"create direct peer-to-peer connections between two users without being monitored by the carrier, which, in turn, allows for free data communications"
That sounds like a app that would be nice to have if you're in the middle of nowhere without cells, but want to stay connected to friends in your party.
Is it just my observation, or are there way too many stupid people in the world?
There's a new iPhone coming, better get back in line at the Apple store.
But Apple's not forcing you to buy it by making your old phone obsolete.
Here's a link to a page that actually describes the "vulnerabilities" they found: http://www.kb.cert.org/vuls/id...
All of them only apply to Voice over LTE environments, which are different from traditional mobile phone networks in that the LTE network is purely IP traffic so it's effectively a voice over IP call using standard protocols like SIP the same as an internet-based VoIP service would.
As someone who's been working in VoIP for over a decade I just have to laugh at this crap.
Let's start:
The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.
Translation: A VoIP app doesn't require phone permissions if it's not accessing any of the OS' phone subsystems. No shit, sherlock.
The only way this could result in billing or denial of service is if the carrier was not properly authenticating the SIP traffic and was just assuming that anything from that phone aimed at the right IP address must be a legit call. That's 100% a carrier fault, not any flaw with the system. Do they propose that Android should be specifically watching for SIP traffic and require an app have the phone permission to be able to send it?
Apple reports that iOS is not affected by this issue.
I smell bullshit, but I don't have an iOS device to confirm. I doubt Apple requires that VoIP clients have special permissions over anything else.
Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.
This is carrier logic if I've ever heard it. Using the data service I pay for to send IP traffic (which happens to contain voice or video) directly to another user on the data service they pay for is somehow a vulnerability? Again I'm not sure how this is platform-specific.
Spoofing numbers again would require that the carrier have their network configured in a stupidly open and trusting fashion. None of my customers can spoof numbers unless I allow them to (hint: I don't) and it wasn't rocket science to set things up that way.
Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.
Repeating themselves here, while this time acknowledging that it's the network's problem.
Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.
Well at least this time they blame the network from the start. I wouldn't limit users to a single session, that restricts 3/4 way calls, but reasonable limits are good there. Still not sure what would be wrong with endpoints directly contacting each other via the data service they're paying for.
I have no doubt that some carriers' networks are truly insecure enough to allow the spoofing and fraudulent usage described here, but that's entirely down to their own stupidity because none of these things are hard to prevent at the network level, even the ones that aren't actual problems.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
The Softpedia article claims
"Only Android devices are affected, iOS users are safe"
The paper cited only describes the vulnerabilities in terms of being researched on Android. Nowhere does it say that iOS cannot have these problems.
I didn't even see anything to this effect in the CERT postings.
But they run. Or so I hear.
Meanwhile, Nexus devices are guaranteed support for 3 years from first sale or 18mo from the final date of sale on Google Play, whichever is longer. I keep seeing claims from iPhone users that "my 4 year old phone has the latest updates" while pointing out the 18mo EOL. It universally turns out that they have the model that was released 4 years prior and not an older model they simply bought 4 years ago, and that model is still being sold. What they fail to recognize is that software support for iOS devices stops the moment Apple stops selling the device (even when carriers may continue selling them for up to a year). Well, that and the fact that, while they might be running the most recent version of iOS, they only get the most recent features on the most recent devices (I'm glaring at iOS9 for the omission of splitscreening on the iPad Air [which I own], which is more than capable of supporting it; and the sad excuse that was given for Siri only being included in iOS for the 4s when it ran just gone on the 3gs as an app before Apple bought the company).
Android, and I mean true android (read: Nexus devices), on the other hand, only leaves out features that require hardware not present in the device. And, with Google's commitment to supporting the devices for a minimum of 18 months Google stops selling them, even with carriers selling the devices for up to a year after that, Nexus devices have support for at least 6 months after their last date of sale. Contrasted with iOS devices, which are still sold for up to a year after software support has ended, well, it's not hard to see why some of us prefer Android (again, Nexus).
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
What they fail to recognize is that software support for iOS devices stops the moment Apple stops selling the device (even when carriers may continue selling them for up to a year).
Small point of order - what you wrote is completely wrong.
Quo usque tandem abutere, Nimbus, patientia nostra?
In theory, the release of a new OS version from Apple is supposed to be a reason to cheer, but if you own anything but the latest hardware, that’s rarely been the case.
And it's not like I don't have any iOS devices in my home, through which I might actually know what I'm talking about. The Gen1 iPad, iPad Air, iPad Air 2, iPhone 6 Plus (along with the iPhone 5 it replaced, the iPhone 4 that replaced, and the iPhone 3G that replaced) surely count for nothing. All of the iPads have been mine, while all of the iPhones have been my wife's, though the 1st gen iPad started out as hers and I did actually use the 3G for a few months.
Nope, no experience with iOS devices at all here. None whatsoever. Except for the past 5 and a half years. Of 8 years they've been on the market. So yeah, I might not have been an iOS user from day one, but I'm not unfamiliar with the platform by any measure.
Save your weak arguments for Android zealots.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Open, that's what all you nerds brag about
Where/when have I done this, so as to be lumped in with that group?
but then you complain there's only one Android made by Google that nobody even buys and we should ignore all the insecure, unsupported versions that 98% of people own?
I see, you're just trying to build a strawman. Try this on for size.
It is not the fault of Google or Android that manufacturers do not support their devices. Don't like Samsung's device support? Blame Samsung and don't buy Samsung anymore. Don't like LG's device support? Blame LG and don't buy LG anymore. Don't like HTC's device support? Blame HTC and don't buy HTC anymore. I could sit here and list every manufacturer, but I'm sure you get the point by now. Google does not have the same shitty support for the devices they sell directly; their support is actually quite good. That 98% of the population buys from manufacturers that just don't give a shit does not negate that 2% of us have brains and prefer to use them.
Logic fail!
Wow, most people who make those don't manage to identify them before posting. Good on you.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
"Only Android devices are affected, iOS users are safe"
Ah, Android, is there anything you don't fail at?
Windows phone - regular updates direct from MS and a lot smoother than the laggy Android experience.
Google's Nexus line is actually what I was referring to. I apologize for only stating that four times in my comment.
I do agree that Google should crack down on their OEM partners' shoddy support, but that does not take away from the Nexus line. Honestly, though, vanilla Android provides a better experience not just in my opinion, but also in the opinions of people who've compared my Nexus 6 to their Android device; given that, even if the OEM partners shaped up their support game, unless they did so by shipping vanilla Android (which would allow Google to support the devices directly, anyway), I (and for future purchases, those who've gotten to play with my Nexus 6 next to their various devices) will be sticking to the Nexus line. From that perspective, no other line of Android devices even comes close to being relevant.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.