T-Mobile/Verizon Android Device LTE Security Vulnerability

T-Mobile/Verizon Android Device LTE Security Vulnerability

Carnegie Mellon University CERT database has published a vulnerability notice regarding the newest security vulnerability that affects Long Term Evolution (LTE) mobile networks. Per Android Headlines, The issue was first brought to light by security researchers and academics in South Korea. Carnegie Mellon then published an advisory on its public vulnerability database (CERT) on Friday. “The security hole, left unplugged, can also use a peer-to-peer network to retrieve data from a victim’s phone, conduct targeted eavesdropping on somebody and even carry out a DoS (Denial of Service) attack on the network in theory, by establishing multiple Session Initiation Protocol (SIP) sessions at once, thereby eating up bandwidth and clogging up the network.”

ZDNet is reporting that Apple products are not affected. Only Android devices are at the biggest risk on T-Mobile and Verizon. AT&T has not conducted full testing, but likely at risk. International Business Times and Neowin added that T-Mobile is aware of the issue and have resolved the issue. Google has reportedly said that they will roll out a fix for Nexus devices in their monthly security patch in November.

Our Analysis

According to the vulnerability notice, AT&T, T-Mobile and Verizon were notified on May 21, 2015 about the vulnerability and T-Mobile is the only one reporting that the issue has been resolved. Unfortunately this is a vulnerability that affects only the Android community and the patching has to come from the vendors. Hopefully now that the vulnerability notice  has brought light to this issue, it will result in a resolution. To be notified almost 5 months ago and still not resolved is troubling. If a hacker were to gain access, then they could retrieve data from phones and even spoof phone numbers to make calls.

All Android users should keep an eye on accounts they access from their phone for any activity that wasn’t initiated by you. For any accounts you should use two-factor authentication to add an extra level of protection. For instance, you log into Facebook from a new device, then you receive a text message and enter a code to verify you. If you receive that message, but hadn’t logged in, then you will be aware of someone trying to access your account. It’s a great tool to utilize for that extra protection and doesn’t take long to setup.

For any more information such as your vendor patching their network, be sure to check in with Carnegie Mellon University CERT Vulnerability Note.

Other High Profile Breaches:

Experian (includes T-Mobile)
Scottrade
Trump Hotels
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison
Ashley Madison (follow up)


Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.

References

Neowin
International Business Times
ZDNet
Android Headlines
Vulnerability Notice


Enter your email address:


Delivered by FeedBurner


Subscribe to our mailing list

* indicates required







About Scott Entsminger

Scott Entsminger was born and raised in Virginia. He graduated from Radford University with a Bachelor’s of Science in Criminal Justice. Scott has worked for the Department of Defense since graduating college. He is an expert in Windows Administration; with specific experience in Group Policy and vulnerability remediation. He also has specific experience in Information Assurance (IA) and Cyber Security.

Scott holds the CompTIA Security+ certification. He is always looking to diversify his skillset. Scott is an avid sports fan, particularly baseball. He also is an avid gamer and enjoys learning different skills involving his PC.