Worldwide, Android holds about 85% of the cellphone market. In the US, that number is not much different. However, two of the biggest carriers in the US, AT&T and Verizon, have been found to have security flaws in their LTE network. LTE stands for Long Term Evolution, and is the standard used by telecommunication companies to designate high speed data. If you are an iPhone user, don’t worry. It does not affect iPhone.
The Computer Emergency Response Team (CERT) at Carnegie Mellon University discovered a security flaw in all versions of the Android operating system, including Marshmallow. The flaw stems from the 4G LTE style that is currently being used by major carriers. Because it is faster, phones have the potential to get information via p2p instead of being authenticated by a server.
Why does this matter? On previous versions of the network, communications were monitored and authenticated in a different way. The packet switching protocol used now means that a malicious app could potentially dial other phones on it’s own, resulting in over usage or denial of service. Because such connections are not properly may not be properly authenticated by a SIP (packet switching IP) server, phone numbers could be spoofed.
There are several other issues as well, including session fixation, improper access control, and incorrect permission assignment. Again, these flaws are on AT&T and Verizon. Allegedly, T-mobile has this issue resolved. All of these issues could potentially cause problems on Android devices. Because of market share, that leaves more than 80% of Android users with potential flaws in their phones. According to CERT, there is no practical solution to these problems. They advise contacting your provider.
And there you have it. If you have an Android device and are on one of these networks, we would advise taking the advice of CERT. Contact your provider and see when and if these security flaws have been addressed. As important to us as our cells have become, it is scary to think that a vulnerability like this is in our presence. Many people have become very careful in what they do, in an effort to protect their privacy. The solution to this issue however, is not on the user, but on the carriers.
Going forward, it will be interesting to see how these major carriers deal with this problem. Since the vulnerabilities affect both of them equally, it might be a smart solution to see them work together to get the issue resolved more quickly. Don’t count on that happening though. Until then, all we can do is call and ask, and maybe there will be an answer soon.