Other carriers, all of them outside the U.S., proved to have significant security vulnerabilities in their networks. The most insecure network allowed “IP spoofing,” in which an attacker disguises his own device’s network address as the address of another device. This allows the attacker to both send illicit data to a user’s mobile device and to download data under that IP address.
A second, less severe vulnerability on some networks allows malicious websites to entrap users. Normally, a user can simply close a browser that appears to have landed on a piece of malware, but in some networks a time lag between when a TCP connection is closed on a device (instantly) and on the network (a delay of 20 to 30 seconds) could allow an attacker to keep that connection open indefinitely. This could enable battery-draining attacks in which, for example, a hacker continually streams data to a device.
Eleven of the carriers tested had implemented policies that could drain the batteries of a user’s phone up to 10 percent faster than usual. Many devices must keep TCP (network) connections open for long periods of time to make e-mail and other “push notifications” work. Mobile ISPs that time out these connections too quickly—say, every 10 minutes versus every half-hour—force devices to power up their radios more often, to reestablish a connection.
Ratul Mahajan, a Microsoft Research researcher who was not involved with the paper, contends that this network behavior might be deliberate. Long time-outs, although good for phone batteries, can exhaust the network address translation table that a network middlebox uses to keep all those connections active, he says.
Hossein Falaki, a doctoral student at UCLA, says some of the findings in the paper are probably going to be new even to cellular carriers. This could result in carriers changing their network policies, and the implications of such changes aren’t always clear until they have been tested in the wild.