Slashdot Mirror
LTE 4G Networks Put Androids At Risk of Overbilling and Phone Number Spoofing
An anonymous reader writes: Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the current status of LTE (Long-Term Evolution) mobile networks, which are plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged. The vulnerabilities were discovered by 8 scientists which documented them in their research.
I don't expect everyone to have perfect English (I don't), but editors should do some proof reading before they post articles. The vulnerabilities were discovered by 8 scientists *who* documented them in their research. or better yet: These vulnerabilities were discovered and documented by 8 scientists as part of their research.
So, if it's us who can get ripped off, they'll do nothing to fix this. If it's them who can get ripped off, they'll try to get lawmakers to outlaw that so they don't have to do anything to fix it.
Should we continue to expect telcos to be inept and indifferent to this, and not give a crap if their customers are getting ripped off?
Lost at C:>. Found at C.
Let me guess... you didn't read the paper. Oh look, my guess was right while yours were not.
To be fair, that wasn't actually a guess. Every assumption you made was wrong, so it's pretty obvious that you didn't bother looking at the paper to see if you were even close to correct.
The security issues are not even needed to get over-billed in Canada. With stock Android 5.1 or above (including the latest Marshmallow), use on either of the two main budget carriers can result in roaming data charges even when roaming data is disabled.
In seams, because of a programming decision as to how Android tells if it is roaming inside of a shared NVNO region and the odd decision of these two carriers to mimic in network names when using partner carriers the phone will ignore the users selection to not use roaming data and thus incur charges in the range of $1/MB.
I've got a Nexus 6 at the moment, and it still does not have Marshmallow. I want to wait for the OTA rather than flash it myself, but come November 15, this device is gone.
Please send it to me. Thank you
Here's a link to a page that actually describes the "vulnerabilities" they found: http://www.kb.cert.org/vuls/id...
All of them only apply to Voice over LTE environments, which are different from traditional mobile phone networks in that the LTE network is purely IP traffic so it's effectively a voice over IP call using standard protocols like SIP the same as an internet-based VoIP service would.
As someone who's been working in VoIP for over a decade I just have to laugh at this crap.
Let's start:
The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.
Translation: A VoIP app doesn't require phone permissions if it's not accessing any of the OS' phone subsystems. No shit, sherlock.
The only way this could result in billing or denial of service is if the carrier was not properly authenticating the SIP traffic and was just assuming that anything from that phone aimed at the right IP address must be a legit call. That's 100% a carrier fault, not any flaw with the system. Do they propose that Android should be specifically watching for SIP traffic and require an app have the phone permission to be able to send it?
Apple reports that iOS is not affected by this issue.
I smell bullshit, but I don't have an iOS device to confirm. I doubt Apple requires that VoIP clients have special permissions over anything else.
Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.
This is carrier logic if I've ever heard it. Using the data service I pay for to send IP traffic (which happens to contain voice or video) directly to another user on the data service they pay for is somehow a vulnerability? Again I'm not sure how this is platform-specific.
Spoofing numbers again would require that the carrier have their network configured in a stupidly open and trusting fashion. None of my customers can spoof numbers unless I allow them to (hint: I don't) and it wasn't rocket science to set things up that way.
Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.
Repeating themselves here, while this time acknowledging that it's the network's problem.
Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.
Well at least this time they blame the network from the start. I wouldn't limit users to a single session, that restricts 3/4 way calls, but reasonable limits are good there. Still not sure what would be wrong with endpoints directly contacting each other via the data service they're paying for.
I have no doubt that some carriers' networks are truly insecure enough to allow the spoofing and fraudulent usage described here, but that's entirely down to their own stupidity because none of these things are hard to prevent at the network level, even the ones that aren't actual problems.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
The Softpedia article claims
"Only Android devices are affected, iOS users are safe"
The paper cited only describes the vulnerabilities in terms of being researched on Android. Nowhere does it say that iOS cannot have these problems.
I didn't even see anything to this effect in the CERT postings.
But they run. Or so I hear.
Meanwhile, Nexus devices are guaranteed support for 3 years from first sale or 18mo from the final date of sale on Google Play, whichever is longer. I keep seeing claims from iPhone users that "my 4 year old phone has the latest updates" while pointing out the 18mo EOL. It universally turns out that they have the model that was released 4 years prior and not an older model they simply bought 4 years ago, and that model is still being sold. What they fail to recognize is that software support for iOS devices stops the moment Apple stops selling the device (even when carriers may continue selling them for up to a year). Well, that and the fact that, while they might be running the most recent version of iOS, they only get the most recent features on the most recent devices (I'm glaring at iOS9 for the omission of splitscreening on the iPad Air [which I own], which is more than capable of supporting it; and the sad excuse that was given for Siri only being included in iOS for the 4s when it ran just gone on the 3gs as an app before Apple bought the company).
Android, and I mean true android (read: Nexus devices), on the other hand, only leaves out features that require hardware not present in the device. And, with Google's commitment to supporting the devices for a minimum of 18 months Google stops selling them, even with carriers selling the devices for up to a year after that, Nexus devices have support for at least 6 months after their last date of sale. Contrasted with iOS devices, which are still sold for up to a year after software support has ended, well, it's not hard to see why some of us prefer Android (again, Nexus).
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Open, that's what all you nerds brag about
Where/when have I done this, so as to be lumped in with that group?
but then you complain there's only one Android made by Google that nobody even buys and we should ignore all the insecure, unsupported versions that 98% of people own?
I see, you're just trying to build a strawman. Try this on for size.
It is not the fault of Google or Android that manufacturers do not support their devices. Don't like Samsung's device support? Blame Samsung and don't buy Samsung anymore. Don't like LG's device support? Blame LG and don't buy LG anymore. Don't like HTC's device support? Blame HTC and don't buy HTC anymore. I could sit here and list every manufacturer, but I'm sure you get the point by now. Google does not have the same shitty support for the devices they sell directly; their support is actually quite good. That 98% of the population buys from manufacturers that just don't give a shit does not negate that 2% of us have brains and prefer to use them.
Logic fail!
Wow, most people who make those don't manage to identify them before posting. Good on you.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.