Potential security issue with Kodiak push-to-talk offering has been fixed, AT&T says

A security vulnerability in software associated with AT&T’s Enhanced Push to Talk [EPTT] that leverages the Kodiak platform owned by Motorola Solution has been eliminated, an AT&T representative this week told California First Responder Network (CalFRN).

Abigail Baker, AT&T’s region manager for FirstNet consultation in California, Hawaii and Nevada, read a prepared statement about the matter during a meeting of the CalFRN board on Dec. 12, when questions about the EPTT security issue were raised.

“AT&T was recently made aware of an issue with AT&T Enhanced Push to Talk’s integrated-dispatch feature,” Baker said while reading the statement. “This feature requires the use of a supported Google Chrome or Internet Explorer web browser. Use of the Google Chrome browser requires an extension, and use of Internet Explorer requires the use of a plug-in.

“As originally configured, the extension/plug-in theoretically permitted access to functions unrelated to the integrated-dispatch feature on the computer running the feature. Therefore, if a computer running the feature were attacked, the attacker might have accessed information on the user’s browser.

“Neither AT&T nor its supplier has been made aware of any such instance in which a browser running the integrated-dispatch feature has been the subject of an attack. Nevertheless, AT&T has published an update that now eliminates the possible issue for the Chrome extension and the Internet Explorer plug-in.”

Shelly Hutchens, broadband services manager for the California Broadband Services Division (CalBSD), said California representatives brought the EPTT security issue to AT&T. AT&T’s EPTT is among the approved applications for FirstNet that are subject to a vetting process that is designed to ensure that the application will perform as advertised and not introduce security risks. Hutchens did not describe how the EPTT security vulnerability was discovered during the CalFRN board meeting.

AT&T’s EPTT offering has long used a platform developed by Kodiak, which also provides the carrier-integrated push-to-talk-over-cellular (PoC) solution for many other carriers, including Verizon and Sprint in the United States. Motorola Solutions—a partner in the AT&T vendor team that won the nationwide contract to build and maintain the FirstNet system—purchased Kodiak in a deal that closed about a year ago.

Although listed as an approved FirstNet application, AT&T’s EPTT is different from the mission-critical-push-to-talk (MCPTT) standard established by 3GPP, the standards body for LTE wireless technology. AT&T officials recently announced plans to provide FirstNet subscribers with a 3GPP-compliant MCPTT service from at least two vendors during the second half of next year.

AT&T conducted a request-for-proposals (RFP) process this year for potential MCPTT vendors, but the carrier has not publicly named the vendors that will supply MCPTT to FirstNet subscribers.

AT&T announced enhancements to its EPTT offering that include some MCPTT features. Those enhancements are part of EPTT 9.0, which was launched on Tuesday and is available, according to an AT&T spokesperson.