Number: IRCNE2015102658
Date: 2015/10/19
According to “zdnet”, AT&T and Verizon's implementations of LTE are said to be vulnerable to "to several issues" that could result in eavesdropping, data spoofing, and over-billing for potentially millions of phones.
Android devices on these networks are at most risk because the software "does not have appropriate permissions model" for LTE networks.
T-Mobile customers were affected but the issue has since been "resolved," a spokesperson said.
Apple products are not affected.
LTE (also known as 4G) relies on packet switching, a common way of sending data across the internet, rather than the old method of circuit switching. This new method of sending data allows for new kinds of attacks, particularly against the Session Initiation Protocol (SIP), nowadays more commonly used in voice calls and instant messaging.
Researchers have found a method that exploits the way that SIP works, by spoofing phone numbers for calls or text messages. It's also possible for an attacker to obtain free bandwidth for more data-intensive activities, like video calling, without incurring any additional costs. In some cases, an attacker can establish multiple SIP sessions at the same time, which could lead to a denial-of-service attack on the network.
The advisory said each network was vulnerable to "one or more" of the issues. CERT, which published the advisory, said it was currently unaware of a practical fix to the issues.
The researchers said every version of Android was at risk, whereas other attacks were network dependent.
When contacted, a Google spokesperson said the company will fix the issue for Nexus devices as part of its November Monthly Security Update, but did not confirm which Android versions were affected.
- 7