Android phones on Verizon, AT&T face LTE security vulnerability, researchers say

Verizon Wireless (NYSE: VZ) and AT&T Mobility (NYSE: T) customers with Android phones are vulnerable to security and privacy breaches when using Voice over LTE, according to an advisory posted by security researchers.

As ZDNet notes, the advisory, which posted by Carnegie Mellon University's public vulnerability database (CERT) on Friday, was based on a paper published by South Korean academics and security researchers. "A remote attacker on the provider's network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls," the advisory said about the vulnerability's potential impact. "A malicious mobile app for Android may be able to silently place phone calls without the user's knowledge."

According to the advisory, Google's (NASDAQ: GOOG) Android platform does not have appropriate permissions security for LTE networks, especially for VoLTE, and also suffers from improper access control. "Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider," the advisory states. "This may be used to either spoof phone numbers or obtain free data usage such as for video calls."

The advisory also notes that some networks "allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network."

The paper called for a "comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network."

The issue apparently does not affect Apple's (NASDAQ: AAPL) iOS. A T-Mobile US (NYSE:TMUS) spokesman said the issue has been "resolved," but declined to comment further.

AT&Tdisputed the report's conclusions. "This paper's conclusions are not an accurate representation of our LTE security," AT&T said in a statement to FierceWireless. "Keeping our network and customers highly secure is a top priority, and we are continually working to ensure we're implementing the best possible security protections."

Representatives from Sprint (NYSE: S) did not have a comment at deadline and representatives from Verizon and U.S. Cellular (NYSE:USM) did not immediately respond to requests for comment. 

For more:
- see this Association for Computing Machinery study
- see this CERT page
- see this ZDNet article 
- see this Network World article 

Related articles:
T-Mobile launches RCS-based native video calling feature
Verizon's Small: We have close to 4M VoLTE customers
T-Mobile launches RCS services under 'Advanced Messaging' brand, with support from Samsung phones
Verizon launches private LTE network with QoS differentiation for enterprise apps, IoT
Report: CIA spies have been trying to hack Apple's iPhone security for years
Gemalto reveals GCHQ, NSA failed to crack SIM encryption keys

Article updated Oct. 20 at 8:05 a.m. ET with a statement from AT&T.