4G Flaw Affects All Android Phones on AT&T, Verizon

The vast majority of security flaws can only affect you if your software is out-of-date, or if you neglect to install a security suite. Once in a while, though, one crops up that blasts users across the board.

Such is the case with a newly discovered cellphone flaw. The Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, sponsored by the Department of Homeland Security, is warning that all Android phones on AT&T and Verizon Wireless are currently open to attack over the Long Term Evolution (LTE) 4G network, and for the moment, there's not much the average consumer can do about it.

Information about the LTE flaw initially came from a team of South Korean security researchers. The researchers' technical paper, entitled "Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations," first saw the light of day at the 22nd ACM SIGSAC conference in Denver earlier this month. The takeaway is that calls made over an LTE network could theoretically make a phone susceptible to data theft, phone spoofing and unauthorized calls.

MORE: Best Android Antivirus Software and Apps

If you're interested in exactly how the process works (and have the technical chops to parse it), the research paper explains in great detail how LTE networks can use a new telephony protocol called voice-over-LTE (VoLTE). As 4G/LTE networks become more common, more and more phone calls use VoLTE rather than traditional telephone-network protocols.

Essentially, pre-LTE cellphone calls worked much the same as their land-line counterparts have since the 19th century. Two parties would connect directly to each other using a dedicated temporary connection, or circuit, provided by the telephone network. Signals, whether analog or digital, would travel directly between them along that single connection without interference from a third party. Some LTE voice networks still use this model.

VoLTE is very different and uses packet-switching, which transmits small bits (or "packets") of data across a large network made up a theoretically infinite number of connections — i.e., the Internet. Each data packet "knows" where to go, and are reassembled into a data stream — in this case, sound — at the destination. Almost every piece of data transmitted across the Internet follows such protocols.

However, moving to packet-based switching opens up voice calls to a huge array of Internet-based attacks that cellular carriers, accustomed to the built-in insularity of circuit-based switching, might not have anticipated. As VoLTE packets travel over the Internet, third parties can access these packets by using sophisticated techniques described in the research paper.

To put it simply, a technically-minded cybercriminal could override call permissions, horn in on private calls, steal a phone number for his or her own purposes or even hack into a user's phone directly. From there, installing a malicious Android app on a targeted phone would be trivial, further opening up the phone for text-message scams, phishing or whatever else could turn a profit.

There is some good news, however: The issue appears to be exclusive to Android phones on the AT&T and Verizon networks. T-Mobile users (and, by inference, MetroPCS users as well) were affected when the paper was written, but T-Mobile told ZDNet that the issue had been "resolved." (Sprint has not yet launched VoLTE service.) Apple devices on any network are unaffected.

This patchwork of vulnerable and immune systems suggests that both Google and the wireless carriers can patch the issue — and should probably do so sooner rather than later.

It's worth noting that there's currently no reason to think that attackers are using these techniques in the wild, although the paper may inspire some to try. At present, Carnegie Mellon CERT is "unaware of a practical solution to these problems."

Tom's Guide has one suggested solution, although it's not ideal and will not work on all Android phones. Go into Settings, select Cellular Networks or Mobile Networks, then Preferred Network Type. If there's an opportunity to switch from LTE to 3G, CDMA or GSM, do so. (Not every phone has this option.)

3G networks are apparently unaffected by the LTE issue, although they're not ideal for processing modern sites and apps; phones have come a long way in the past few years. 

Marshall Honorof

Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi. 

  • Michael_55
    Why not just just off volte instead of lte?

    Settings->advanced calling-> toogle off.
  • Michael_55
    Also probably should point out that, that seems.you can only make a volte call from one volte enabled handset to another on the same carrier. Luckily Verizon is slow to enable, if you use the video calling list as surrogates for volte ready i have all of 9 out of hundreds of contacts that are ready on vzw. (Everyone would be different of course)
  • Paul Wagenseil
    Looks like the Advanced Calling setting is only on Verizon phones, Michael_55, but I think it would work in those instances -- thanks for the tip!
  • Stephen_255
    The author of this article clearly did not read the ACM paper he links to! The author makes it seem like, if you have an android phone, your phone is now wide open to someone installing apps on it and exploiting it without your knowledge. Almost all of the exploits that ACM paper details relate to exploiting the network, not the phone itself! The only phone-related exploits they mention are ONLY IF you install an app that has bad stuff in it (leading to, at worse, blocking phone calls, call spoofing, or over-billing). The article failed to mention who is most at risk -- Verizon and AT&T!!! What are they at risk for? Users getting free bandwidth using VoLTE channels (because they bill VoLTE by the minute, not by data). Denial of Service. Cellular user establishing a free P2P (like a torrent) network via phones. Billing of unwitting users.

    Also, this article makes akes it seem like it is the fact that the phones are Android phones that the security flaws exist. Nowhere in the ACM paper do they say that Apple phones are not vulnerable too! It's just that nobody has tried it yet because it is harder to do, probably.