Major VOIP Security Flaws Discovered in Android

Researchers say they discovered eight security flaws in the way Android handles voice calls through the Internet. Unlike most such bugs which involve specific apps, these problems were with Android itself.

The good news is that the researchers reported all of the bugs to Google while carrying out the project and most have now been fixed. However, it does raise concerns about the development and design of the system itself. (Source: github.io)

The researchers looked at the three latest Android versions (7, 8 and 9), specifically addressing the components that allow Voice Over Internet Protocol (VOIP). That's where apps and services such as Skype use the phone's voice call hardware such as microphone and speaker, but transmit the data over the Internet rather than voice networks. This is especially convenient for users on a metered voice or data plan, and when free WiFi is available.

Malware Could Eavesdrop

ZDNet explains that the researchers used a technique called "fuzzing" to find security gaps. Fuzzing effectively involves putting random data (often in the "wrong" format) into software in order to see how it responds. This can often reveal vulnerabilities. (Source: zdnet.com)

One of the bugs related to a specific VOIP app named "VK" would have allowed malware to start a call, then eavesdrop via the phone's microphone.

The other bugs all related to Android, meaning victims wouldn't need to have a VOIP app installed or active. Some required malware to be on the phone and could allow hackers to divert incoming calls to their own devices.

Bogus Number Causes Problems

Others didn't require any malware and instead took advantage of inconsistencies between the way voice and VOIP calls handle unexpected characters in phone numbers. That could make it possible to call a phone and make it display a bogus caller ID - for example, for harassment or when making marketing calls.

It was also possible for attackers to create their own exceptionally long phone numbers, then place a call to another phone. In some cases this would crash the phone being called (because the caller ID was too long). In other cases, the caller ID number would run "off the bottom" of the screen so that buttons to answer or reject the call disappeared. This then caused the phone to ring indefinitely and also prevented the user from accessing any other features.

In theory, these bugs could be used as a prank or on a large scale to stop people using phones during a gathering such as a political protest. Perhaps more seriously, it could let hackers "tie up" a phone and distract the user while using other malware in the background.

The most serious of the "long number" attacks would actually create a stack buffer overflow, which involves accessing the device's memory. In turn, this could allow unrestricted access to other active applications, which then allows a bogus caller to remotely run code on the device (such as malware).

What's Your Opinion?

Are you surprised Google didn't discover such bugs itself? Are these simply the price to pay for having sophisticated phones that are effectively mini computers? Do people take phone security seriously enough?