The Computer Emergency Response Team (CERT) at Carnegie Mellon University posted a vulnerability note about multiple vulnerabilities in voice-over-LTE implementations that could potentially compromise the security and privacy of Android users on LTE networks of major U.S. wireless carriers. All Android versions—reportedly even Marshmallow, Google’s newest Android 6.0 – are vulnerable when being used on Verizon Wireless and AT&T; T-Mobile claimed to have “resolved” the issue.
Long Term Evolution (LTE), also referred to as 4G, shifted “the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet.” According to a recent research abstract, “This dramatic shift opens up a number of new attack surfaces.” The authors of the research paper are the first to “analyze security issues on the VoLTE network.” The team analyzed the “VoLTE network of five operators in the United States and South Korea.”
CERT reported that the use of packet switching and the IP protocol – particularly the Session Initiation Protocol (SIP) protocol – may allow for new types of attacks not possible on previous-generation networks.
The impact is that “a remote attacker on the provider's network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls. A malicious mobile app for Android may be able to silently place phone calls without the user's knowledge.”
Each provider and implementation of LTE may be vulnerable to one or more of the specific vulnerabilities noted by CERT. These flaws included incorrect permission assignment for critical resource: Android OS “does not have appropriate permissions model for current LTE networks,” which could result in “overbilling or lead to denial of service.”
Improper access control is also listed: “Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.” Under “improper authentication,” CERT wrote, “Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.”
Regarding session fixation, CERT reported, “Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.”
No current solution
The solution? There currently is not one. CERT’s Garret Wassermann wrote:
The CERT/CC is currently unaware of a practical solution to these problems.
Each provider must apply updates to their own network as necessary to resolve these issues. However, each provider is vulnerable to a different subset of these issues, so the exact fixes and timelines vary between providers. Concerned customers should contact their service provider for more information.
While Google is listed as an affected vendor, Apple is not affected. Verizon and AT&T, which were notified in July, and T-Mobile, which was notified in May, are listed with an “unknown” status. Google told ZDNet that it will fix the flaw in Nexus devices when it rolls out its November Monthly Security Update. T-Mobile said it has already fixed the problem, but AT&T and Verizon declined to comment at all.
Research and analysis
CERT referenced “Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations” (pdf) written by Hongil Kim, Dongkwan Kim, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim. The researchers wrote:
Although we discovered a few implementation bugs that are easy to fix, the core problem is complicated processes, involving accounting, access control, session management, and EPC-UE interaction. This is evidenced by the response from ISPs, Android, and US/KR CERTs to our responsive disclosure. It requires greater attention because a systematic security analysis of new architecture is always necessary to make the architecture robust.
They concluded:
In this paper, we considered security issues and possible attacks related to VoLTE call service after legitimate IMS registration. However, an attacker can also utilize a SIP REGISTER message to perform other attacks. If there are vulnerabilities in the registration phase, an attacker can control all access to a victim’s VoLTE service. For example, she can carry out an imposter attack or even wiretapping. We plan to investigate scenarios such as this in future work. In this work, we concentrated on the problems and vulnerabilities discovered in five operators; however, more problems and vulnerabilities may be present in these and other operators. As more and more operators provide VoLTE services, it is essential that more security analyses be conducted on VoLTE networks.
Sprint to throttle data hogs
Although Sprint is not listed by CERT, the wireless carrier is still making headlines since its CTO announced it will throttle speeds of customers who have unlimited data plans but use more than 23GB of data during a billing cycle; this move follows throttling practices that are in place at other big wireless carriers. According to Sprint, “With 23GB of data you can send 6,000 emails with attachments, and view 1,500 web pages, and post 600 photos, and stream 60 hours of music, and stream 50 hours of video each and every month. That’s a lot of data, and it’s far more than most customers ever use in a typical billing cycle.”