A team of Chinese researchers has recently revealed the findings of a ground-breaking investigation into Android’s voice-over-internet-protocol (VoIP) components. The team from OPPO ZIWU Cyber Security Lab, the Chinese University of Hong Kong and Singapore Management University, found no fewer than eight vulnerabilities.
Cybercriminals minded to exploit those vulnerabilities could do any of the following:
- Transfer calls without the recipient’s knowledge
- Spoof caller IDs
- Crash VoIP devices
- Run malicious code on a victim’s device
The unique nature of the study is what uncovered these severe cybersecurity risks. There has been other research into cybersecurity as related to a VoIP phone system. All those previous tests, though, concentrated on VoIP equipment, servers, and mobile apps.
The researchers from China, Hong Kong, and Singapore focused on the VoIP components in the Android OS itself. To assess the security of those components, the team devised a unique three-stage method.
The academics’ research looked at a range of recent versions of the Android OS. They carried out testing on each version of the OS from 7.0 (Nougat) to 9.0 (Pie), which was only rolled out in 2018. To test the Android’s VoIP components effectively, the research team subjected them to three modes of analysis. The first two of those means of assessing the components involved a process known as ‘fuzzing’.
Fuzzing or fuzz testing is a well-known means of automated software testing. Automated tools provide invalid or unexpected input to a software component. That input often comprises random and malformed data.
Testers then look at how the software reacts to those inputs. Abnormal reactions, like the leaking memory or crashes, suggest a failing or vulnerability. In the course of their research, the academics testing the Android VoIP components fuzzed the Android Intent and System APIs. That allowed them to test the interactions within the native VoIP components of the OS.
The second stage of the team’s research was to perform ‘network-side fuzzing’. Through this process, the researchers could fuzz the three protocols involved in VoIP via Android. Those protocols are Session Initiation Protocol (SIP) not to be confused with internet protocol, Session Description Protocol (SDP), and Real-time Transport Protocol (RTP). To fuzz those protocols, the scientists set up the following ‘testbed’ in their lab:
In that testbed, an Android phone represented the potential victim user. An mjSIP-based User Agent (mjUA) then mimicked the cybercriminal adversary. An openSIPS proxy server connected all elements of the testbed to the same Wi-Fi network.
There was one final step in the study after the team had finished the automated fuzzing. The academics then launched manual code auditing and reviewed their logs. That last stage led them to determine the eight risks in Android’s VoIP components.
As well as those eight system vulnerabilities, the team also found a risk related to a third-party app. That came in the form of a bug affecting how the Intent API interacts with a particular app. The app in question was the Russian social media app, VKontakte. The bug lets a malicious app on an Android device start a VoIP call via the VKontakte app. The installer of the malicious app can then listen in on the Android user’s conversations.
That’s undoubtedly dangerous and unsettling. It’s not, though, a vulnerability that affects users outside of Russia and nearby nations. The other eight risks identified by the researchers had no such geographical limitations.
Those eight system vulnerabilities were all confirmed by Google. The company awarded the researchers bug bounty awards for each of them. The tech giants also succeeded in fixing most of the eight risks. It’s still worth discussing those risks and how they can affect businesses, though. Doing so can make people aware of the types of vulnerability that may need to mitigate against in the future.
Vulnerability 1: Unauthorised Call Transfer
The Android OS has a system service called QtilMS amongst its VoIP components. Via their two-step fuzzing, the team found that QtilMS exposed two APIs to third-party apps. Those APIs are usually only accessible by apps that have a specific permission.
The QtilMS issue shows that any app without the permission can also invoke the APIs. What that means, is that a malicious app on a device can set unauthorized call transfer. The installer of that app may transfer calls without the intended recipient’s knowledge.
Vulnerability 2: VoIP Call Bomb
Of the eight cybersecurity risks the team found, six are remotely exploitable issues. The vulnerability that they called a ‘VoIP Call Bomb’ is the first of them. They coined that phrase as the risk is similar to an existing denial of service (DoS) attack called an ‘SMS Bomb’. Cybercriminals can launch a VoIP Call Bomb attack by calling a victim’s device using a lengthy SIP name.
A name of 1,043 characters or more fills up the device’s screen. The user can then not answer the call, decline the call, or do anything else. If an attacker makes many calls, one after the other, they can lock the user out of their device for an extended period. That may allow the attacker to perform another kind of hack or incursion, unchecked.
Vulnerability 3: Remote Denial of Service (DoS) in Telephony
There were two further weaknesses found in the Android OS’s telephony module. Both of those weaknesses can also lead to a DoS attack. In this case, attackers send malformed SDP packets. They cause a device to crash when the user tries to answer a call. The image above shows the error message generated, next to an example of the SIP name vulnerability.
Vulnerability 4: Remote Code Execution
The next two cybersecurity risks discovered by the research team only apply when a phone connects to a device via Bluetooth. The first of that pair of risks is a serious remote code execution (RCE) issue.
If an attacker uses a caller number or user name with more than 513 bytes for a VoIP call, they can trigger a stack buffer overflow. That, in turn, lets them run malicious code on the affected device. This vulnerability affected all the Android OS versions tested by the team.
Vulnerability 5: Remote DoS in Bluetooth
This issue is similar to vulnerability four. It only applies to Android phones connected to Bluetooth devices. It also involves attackers using large caller numbers. Rather than allowing RCE, this specific vulnerability causes the phone to crash. Unlike the remote DoS risk in the telephony module, crashes, in this case, occur when a device receives a call. The user doesn’t even have to try and answer that call.
Vulnerability 6: Data Leak and Permanent DoS
The sixth risk discovered is one of the two that aren’t remotely exploitable. Only malicious apps installed on a device can exploit it. The vulnerability stems from Android and SIP treating “..” and “/” characters differently.
The inconsistency in the treatment of those characters lets attackers leak the sensitive SIP profile file to the public SD card. Cybercriminals may also exploit this weakness to overwrite another system app’s file. Depending on the file that gets overwritten, it can cause a DoS that only a factory reset could fix.
Vulnerability 7: Caller ID Spoofing Due to Mis-Parsing ‘&’
The last pair of risks make it possible for attackers to spoof caller IDs. Both risks stem from inconsistency in the number format of SIP and the Public Switched Telephone Network (PSTN). This specific vulnerability relates to the character ‘&’.
Due to the way PSTN number convention treats an ‘&’ in a number, it’s easy for attackers to spoof VoIP caller IDs. All they have to do is to put an ‘&’ at the end of the real number. Android will then display a call as if it were coming from the actual number, as shown in the above image.
Vulnerability 8: Caller ID Spoofing Due to ‘Phone Context’ Parameter
The last risk is pretty similar. This time the inconsistency in SIP and PSTN relates to the “Phone Context” parameter. You can use that parameter to specify a phone number’s prefix for a traditional call. The convention should not apply, however, to VoIP calls.
Unfortunately, Android’s dialler app did still apply the parameter in the same way for VoIP. Attackers, as a result, can use the Phone Context parameter to spoof caller IDs in a second, distinct way.
Why This Research Matters to You
Google has fixed many of the above vulnerabilities. It’s critical to know about the risks, nonetheless. Many businesses and organizations are transitioning to a VoIP phone system. Either through dedicated systems or via mobile OSs like Android. The existence of such vulnerabilities could have enormous security consequences for those companies. DoS attacks, call spoofing and other malicious acts made possible by the risks outlined above can create significant problems for any firm.
Being aware of the problems makes it more likely that you can ID any future issues. Issues experienced are shared quickly between users, particularly via social media. Understanding your brand presence online through social listening can help identify what are the main problems that customers experience.
This ground-breaking research also shows a sizeable gap in previous cybersecurity discussions. Any consideration of risks related to VoIP has been limited to equipment, servers, or apps. This study indicates that risks at the VoIP system-level now need to be a significant part of the conversation.
Read More: Is Security the Same as Privacy?