Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Android Wireless Networking

LTE 4G Networks Put Androids At Risk of Overbilling and Phone Number Spoofing 113

An anonymous reader writes: Carnegie Mellon University's CERT security vulnerabilities database has issued an alert regarding the current status of LTE (Long-Term Evolution) mobile networks, which are plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged. The vulnerabilities were discovered by 8 scientists which documented them in their research.
This discussion has been archived. No new comments can be posted.

LTE 4G Networks Put Androids At Risk of Overbilling and Phone Number Spoofing

Comments Filter:
  • by kaka.mala.vachva ( 1164605 ) on Monday October 19, 2015 @01:44PM (#50760319)
    I don't expect everyone to have perfect English (I don't), but editors should do some proof reading before they post articles. The vulnerabilities were discovered by 8 scientists *who* documented them in their research. or better yet: These vulnerabilities were discovered and documented by 8 scientists as part of their research.
    • I don't expect everyone to have perfect English (I don't)

      No, but I do expect people who get paid based on their proficiency of English to have perfect English. Two that immediately come to mind are 1: Translators, and 2: Editors.

  • To Be Honest (Score:2, Interesting)

    by Anonymous Coward

    I have for a while now been tempted to leave Android and I've decided to do so on November 15, which is the day AT&T releases the new Windows Phone 950. Call me mad, but I'm tired of the Android shenanigans, the balkanization between carriers, and even devices within a single carrier. I've got a Nexus 6 at the moment, and it still does not have Marshmallow. I want to wait for the OTA rather than flash it myself, but come November 15, this device is gone.

    • Re:To Be Honest (Score:4, Insightful)

      by JackieBrown ( 987087 ) on Monday October 19, 2015 @02:06PM (#50760485)

      I've got a Nexus 6 at the moment, and it still does not have Marshmallow. I want to wait for the OTA rather than flash it myself, but come November 15, this device is gone.

      Please send it to me. Thank you

    • So a Windows phone is somehow going to be better?

      • So a Windows phone is somehow going to be better?

        Yes, updates are direct from MS rather than the carrier.

        And personally I find the interface a lot nicer than the android one.

      • Well, WP does have pretty strict limits on how much OEMs and carriers are allowed to screw with the devices, or at least did for WP7.x and 8.x. Not sure what the policies for W10M will be yet. Among those limitations is a requirement that carrier-installed apps be removable (though in practice the apps may simply be UI for carrier stuff that is included in the firmware and stays when the app is removed, like T-Mobile's WiFi Calling), and that the primary shell UI not be modified. WP app compatibility is als

  • by Anonymous Coward

    4G is a vulnerability in itself, given how quickly you can use your month's worth of data...

    • by sims 2 ( 994794 )

      Ikr I downloaded ios 9.0.2 this morning 1.42GB in under 10 minutes. Would have taken at least 15 minutes on dsl.

  • Hmmm ... (Score:4, Interesting)

    by gstoddart ( 321705 ) on Monday October 19, 2015 @01:49PM (#50760357) Homepage

    So, if it's us who can get ripped off, they'll do nothing to fix this. If it's them who can get ripped off, they'll try to get lawmakers to outlaw that so they don't have to do anything to fix it.

    Should we continue to expect telcos to be inept and indifferent to this, and not give a crap if their customers are getting ripped off?

  • by ramriot ( 1354111 ) on Monday October 19, 2015 @01:59PM (#50760425)

    The security issues are not even needed to get over-billed in Canada. With stock Android 5.1 or above (including the latest Marshmallow), use on either of the two main budget carriers can result in roaming data charges even when roaming data is disabled.

    In seams, because of a programming decision as to how Android tells if it is roaming inside of a shared NVNO region and the odd decision of these two carriers to mimic in network names when using partner carriers the phone will ignore the users selection to not use roaming data and thus incur charges in the range of $1/MB.

  • by Overzeetop ( 214511 ) on Monday October 19, 2015 @02:02PM (#50760453) Journal

    "create direct peer-to-peer connections between two users without being monitored by the carrier, which, in turn, allows for free data communications"

    That sounds like a app that would be nice to have if you're in the middle of nowhere without cells, but want to stay connected to friends in your party.

    • A good way to fix a vulnerability where you can send data without being charged is by charging for that data. Its always something better to say "we fix a vulnerability pointed out by security researchers" than to say "we demand money for using our infrastructure even if it is not involved".

    • by sims 2 ( 994794 )

      Sounds like a walkie talkie. IIRC you used to be able to buy phones with this feature they had a separate radio that operated on frs/gmrs.

  • WAAAAY Overblown! (Score:5, Informative)

    by wolrahnaes ( 632574 ) <seanNO@SPAMseanharlow.info> on Monday October 19, 2015 @02:49PM (#50760775) Homepage Journal

    Here's a link to a page that actually describes the "vulnerabilities" they found: http://www.kb.cert.org/vuls/id... [cert.org]

    All of them only apply to Voice over LTE environments, which are different from traditional mobile phone networks in that the LTE network is purely IP traffic so it's effectively a voice over IP call using standard protocols like SIP the same as an internet-based VoIP service would.

    As someone who's been working in VoIP for over a decade I just have to laugh at this crap.

    Let's start:

    The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.

    Translation: A VoIP app doesn't require phone permissions if it's not accessing any of the OS' phone subsystems. No shit, sherlock.

    The only way this could result in billing or denial of service is if the carrier was not properly authenticating the SIP traffic and was just assuming that anything from that phone aimed at the right IP address must be a legit call. That's 100% a carrier fault, not any flaw with the system. Do they propose that Android should be specifically watching for SIP traffic and require an app have the phone permission to be able to send it?

    Apple reports that iOS is not affected by this issue.

    I smell bullshit, but I don't have an iOS device to confirm. I doubt Apple requires that VoIP clients have special permissions over anything else.

    Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.

    This is carrier logic if I've ever heard it. Using the data service I pay for to send IP traffic (which happens to contain voice or video) directly to another user on the data service they pay for is somehow a vulnerability? Again I'm not sure how this is platform-specific.

    Spoofing numbers again would require that the carrier have their network configured in a stupidly open and trusting fashion. None of my customers can spoof numbers unless I allow them to (hint: I don't) and it wasn't rocket science to set things up that way.

    Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.

    Repeating themselves here, while this time acknowledging that it's the network's problem.

    Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.

    Well at least this time they blame the network from the start. I wouldn't limit users to a single session, that restricts 3/4 way calls, but reasonable limits are good there. Still not sure what would be wrong with endpoints directly contacting each other via the data service they're paying for.

    I have no doubt that some carriers' networks are truly insecure enough to allow the spoofing and fraudulent usage described here, but that's entirely down to their own stupidity because none of these things are hard to prevent at the network level, even the ones that aren't actual problems.

    • by steveg ( 55825 )

      You're right, and last I looked you had to specifically switch your phone over to use VoLTE. It's not enabled by default.

      It's quite possible that IOS phones are not affected because they don't support the VoLTE functionality. I don't *know* that, but I do seem to recall that the VoLTE capability was added in the last year or two to Android phones, and older ones don't support it.

  • Will this stop them of dreaming of electric sheep?

    Or did the poster mean "Android phones"?

  • That's (Score:5, Informative)

    by jlv ( 5619 ) on Monday October 19, 2015 @03:07PM (#50760905)

    The Softpedia article claims
    "Only Android devices are affected, iOS users are safe"

    The paper cited only describes the vulnerabilities in terms of being researched on Android. Nowhere does it say that iOS cannot have these problems.

    I didn't even see anything to this effect in the CERT postings.

    • Hi, maybe this will help: http://www.kb.cert.org/vuls/id... [cert.org] and this: http://www.kb.cert.org/vuls/id... [cert.org]
    • Apple has claimed it's not vulnerable to e.g. sending IP packets directly to IP addresses if those IP packets are SIP packets, with no substantiation. SIP applications can use TLS as well, making packet inspection difficult.
      • Apple has claimed it's not vulnerable to e.g. sending IP packets directly to IP addresses if those IP packets are SIP packets, with no substantiation. SIP applications can use TLS as well, making packet inspection difficult.

        Most carriers use NAT's to reduce down the number of IP addresses needed for servicing mobile phones. That NAT usage will also block most unsolicited incoming IP level traffic. I.E. Traffic originating on mobile teleco's VoIP network will get through and no one else., so this becomes a non-issue.

        • This is outgoing IP traffic from the mobile phone, not incoming from outside. Apple is claiming their mobile phone itself is incapable of sending a specific IP packet which another mobile phone can send just fine, unless the application has special permissions.
    • Re:That's (Score:4, Interesting)

      by BronsCon ( 927697 ) <social@bronstrup.com> on Monday October 19, 2015 @03:35PM (#50761209) Journal
      Apple made the claim that iOS is not affected, but these are all carrier-side vulnerabilities that only require the app have the ability to send raw packets to the internet, which can certainly be done from iOS, as well as Windows. It's how VoIP apps work.
      • by Anonymous Coward

        iOS apps can send TCP/UDP packets using approved APIs. You cannot use SOCK_RAW on an iPhone.

        From memory, data and voice are recommended/required to be separate with VoLTE - data connections are tunnelled or attached to a different APN and apps cannot see the carrier LTE network directly. It's a bit like 2 VLANs over a single ethernet link.

        However, since VoLTE happens at the app level rather than on the baseband, Android's hackability and security model can be convinced to expose a lot more of this to user a

  • ...plagued by four vulnerabilities that allow attackers to spoof phone numbers, overbill clients, create DoS (Denial of Service) states on the phone and network, and even obtain free data transfers without being charged.

    OH NOES! You can hear those carriers leaping into action when they found out that last part.

  • I wonder if that makes it a 'meta-vulnerability' :-)
  • Yes, iOS has had, er, ONE that could maybe have been an Exploit (but likely actually not); but Android has had about a Googolplex (haha) of them.

    Why do you think that is? And don't say it's because it is the more popular platform; because that is the epitome of a strawman argument. iOS is PLENTY popular enough to be worth exploiting. So it must be something else.

    Perhaps it's because the malware writers know that, on Android, the Exploit will be available on a significant number of handsets for months, e

Fast, cheap, good: pick two.

Working...