Vulnerabilities that have been found in LTE networks leave Android devices open to a DDoS attack, according to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University.
Multiple vulnerabilities have been found in Long Term Evolution (LTE) networks that could leave Android devices at risk of a distributed denial of service (DDoS) attack.
This is according to the Computer Emergency Response Team Coordination Center (CERT/CC) at Carnegie Mellon University, which published a vulnerability note on October 16th.
Garret Wassermann, a vulnerability analyst at CERT/CC, explained that the conversion from circuit switching to packet switching on LTE mobile networks “allows new attacks not previously possible”.
The problem presently, the expert noted, is that the Android operating system does not have the relevant permissions model in place for current LTE networks.
“The CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets,” Mr Wassermann continued.
“A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.”
Additionally, a cybercriminal could possess the potential to create peer-to-peer connections that would extract data from other devices, as well as spoof numbers when making calls.
Furthermore, if a malicious mobile app was installed on a compromised device, phone calls could be made without a user ever knowing.
Mr Wassermann concluded that he and his colleagues are not yet aware of a “practical solution” to this vulnerability and the others outlined by CERT/CC.
Last month, it was reported that the team at CERT/CC had found multiple flaws in a Belkin router, which left it open to attack.
Joel Land, a vulnerability analyst at CERT, said that Belkin’s N600 DB Wireless Dual Band N+ router contained five specific flaws.
He expanded: “A remote, unauthenticated attacker may be able to spoof DNS responses to cause vulnerable devices to contact attacker-controlled hosts.”