Is it still possible to do phone phreaking? Yes, with Android on LTE

Call spoofing and overbilling are possible due to flaws in how voice is transferred over mobile data networks, researchers say

In the 1960s and 70s, technically savvy enthusiasts sought to game telecommunications systems to make free calls, keeping telecom engineers on their toes.

That practice, known as phreaking, involved such luminaries as Steve Jobs, Steve Wozniak and John Draper, known as Cap'n Crunch, who used a whistle from a cereal box to meddle with AT&T's long-distance trunk lines.

These days, mobile operators have fully embraced the Internet and are increasingly moving voice calls over fast, packet-switched networks, known as Voice over LTE (Long Term Evolution). The advantage is higher-quality voice calls for subscribers and lower costs for operators.

But South Korean researchers say they've found several weaknesses in VoLTE networks in the U.S. and South Korea.

Their findings, released in a research paper, conclude that it would be possible to spoof phone calls, conduct denial-of-service attacks and overbill customers. They also found it would be possible for a malicious Android app to make secret phone calls in the background due to a flaw in the mobile OS. 

The fault also lies in part with operators, which haven't full vetted their infrastructure for security issues. Also, LTE standards have been implemented in different ways by operators, opening up a variety security holes.

"Basically, there are mistakes and things they have overlooked," said Yongdae Kim, a professor with the Korea Advanced Institute of Science and Technology's (KAIST) electrical engineering department, in a phone interview Tuesday.

T-Mobile, Verizon and AT&T were notified of the issues in May, according to an advisory updated on Monday from Carnegie Mellon University's CERT.  None of the companies had an immediate comment.

CERT's alert said each operator's problems are different and will require them to apply their own updates, which may take time.

Google said it is working on a software patch for Android which will be released next month. Apple's mobile operating system, iOS, is not affected, according to CERT. 

Android's problem is with its permissions. On 3G networks, there are separate network domains for data packets going over the Internet and phone calls, which go through circuits.

But with LTE, voice and data go over Internet. Android's permission that governs phone calls doesn't matter since calls are no longer going through a circuit-switched network, Kim said.

That opens up an interesting avenue for attack. For example, if a victim can be tricked into downloading a malicious Android application, it could, for example, initiate a video call over the data channel.

The Korean team also found it was possible for an attacker to block any phone call made by a victim or cut-off an ongoing call.

volte attack Screenshot/KAIST

In this example, a malicious app on a victim's Android phone secretly makes a call in the background, blocking the victim from making a call.

Android won't recognize that a data call is being made and show nothing on a smartphone's screen. A video call could eat up the victim's data allowance and potentially garner them a huge bill.

The vulnerabilities on the operator side could also lead to some crippling attacks, Kim said.

With 3G networks, people can only make one call at a time. But over packet-switched networks without the right controls, many calls can be made.

Kim said the error some operators have made is not managing call sessions. A device, for example, could start multiple calls with an operator's SIP (Session Initiation Protocol) server.

If the number of connections is too large, it could damage the SIP server and paralyze the IP Multimedia Subsystem (IMS), which manages IP-based voice calls for VoLTE, according to the paper. The solution is limiting the number of SIP messages that can sent by a mobile device and blocking activity that appears malicious.

The issues highlighted in the research paper are probably just "the tip of the iceberg," said Phil Marshall, chief research officer
with Tolaga Research in Newton, Massachusetts.

As the mobile industry moves to packet-switched services and mobile signaling is more exposed, more attack surfaces are likely to emerge, Marshall said. 

"Although there are technical solutions to address these and other threats, we are generally not yet seeing the mobile industry placing adequate priority towards security," he said.

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedAppleGoogleIMSMarshallMellonTechnologyT-MobileVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts