T-Mobile/Verizon Android Device LTE Security Vulnerability
Carnegie Mellon University CERT database has published a vulnerability notice regarding the newest security vulnerability that affects Long Term Evolution (LTE) mobile networks. Per Android Headlines, The issue was first brought to light by security researchers and academics in South Korea. Carnegie Mellon then published an advisory on its public vulnerability database (CERT) on Friday. “The security hole, left unplugged, can also use a peer-to-peer network to retrieve data from a victim’s phone, conduct targeted eavesdropping on somebody and even carry out a DoS (Denial of Service) attack on the network in theory, by establishing multiple Session Initiation Protocol (SIP) sessions at once, thereby eating up bandwidth and clogging up the network.”
ZDNet is reporting that Apple products are not affected. Only Android devices are at the biggest risk on T-Mobile and Verizon. AT&T has not conducted full testing, but likely at risk. International Business Times and Neowin added that T-Mobile is aware of the issue and have resolved the issue. Google has reportedly said that they will roll out a fix for Nexus devices in their monthly security patch in November.
According to the vulnerability notice, AT&T, T-Mobile and Verizon were notified on May 21, 2015 about the vulnerability and T-Mobile is the only one reporting that the issue has been resolved. Unfortunately this is a vulnerability that affects only the Android community and the patching has to come from the vendors. Hopefully now that the vulnerability notice has brought light to this issue, it will result in a resolution. To be notified almost 5 months ago and still not resolved is troubling. If a hacker were to gain access, then they could retrieve data from phones and even spoof phone numbers to make calls.
All Android users should keep an eye on accounts they access from their phone for any activity that wasn’t initiated by you. For any accounts you should use two-factor authentication to add an extra level of protection. For instance, you log into Facebook from a new device, then you receive a text message and enter a code to verify you. If you receive that message, but hadn’t logged in, then you will be aware of someone trying to access your account. It’s a great tool to utilize for that extra protection and doesn’t take long to setup.
For any more information such as your vendor patching their network, be sure to check in with Carnegie Mellon University CERT Vulnerability Note.
Other High Profile Breaches:
Experian (includes T-Mobile)
Tesla and Chrysler (unrelated to each other)
Apple App Store
U.S. Office of Personnel Management (OPM)
Kaspersky & FireEye (unrelated to each other)
Excellus Blue Cross Blue Shield
Ashley Madison (follow up)
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
Be sure to subscribe to this blog and to our Podcast.
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.