New flaw makes Android devices on AT&T & Verizon’s wireless services vulnerable

According to the advisory, Google’s (NASDAQ: GOOG) Android platform does not have appropriate permissions security for LTE networks, especially for VoLTE, and also suffers from improper access control.

If you have an Android smartphone running on AT&T or Verizon’s wireless network, you could be at the mercy of hackers according to a new advisory posted to the Carnegie Mellon University CERT database.

T-Mobile customers were affected, but the issue has since been “resolved”, a spokesperson said. LTE, which is also referred to as 4G, uses packet switching to send data across the internet instead of the older circuit switching approach, as the former is more cost efficient as well as reliable. If exploited, attackers could circumvent Session Initiation Protocol (SIP), often used in voice calls and instant messaging, to gain access to a victim’s device.

In few of the cases, an assailant can establish numerous SIP sessions at the same instance, leading to a rebuff of facility attack on the internet. The researchers suggest that service providers need to apply updates to their networks to resolve the vulnerability issue. CERT said it is “unaware of a practical solution” to easily fix the vulnerabilities and it will be up to each carrier and handset manufacturer to ensure that the SIP standards are met. By exploiting the loopholes, hackers can also carry out denial of service attacks on these networks as well as execute data exploitation with ‘silent calls, ‘ which will allow them to make unlimited phone calls and consume huge cellular data without anything showing up in the records or bills. “A malicious mobile app for Android may be able to silently place phone calls without the user’s knowledge”. That could be used to generate money on premium lines, over-billing, as well conducting targeted eavesdropping.

As per the researchers, every android phone is at high risk; however, sources confirmed that this issue will be fixed very soon. Google has acknowledged the issue and said a fix will be released as part of its next monthly security update in November, but this will only immediately be available for its own Nexus devices. Android devices on other carriers like T-mobile are not reported to be affected by the vulnerability. An email to Verizon was not returned.