Hongil Kim
Yeongjin Jang
ABSTRACT
Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE), which dramatically changes how voice calls are handled, both from user equipment and infrastructure perspectives. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis.
Unlike the traditional call setup, the VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network.
- 3GPP. ETSI TS 23.203. Policy and charging control architecture, 2012.Google Scholar
- 3GPP. ETSI TS 23.221. Architectural requirements, 2011.Google Scholar
- 3GPP. ETSI TS 23.228. IP Multimedia Subsystem (IMS) Stage 2, 2011.Google Scholar
- 3GPP. ETSI TS 33.203. Access security for IP-based services, 2011.Google Scholar
- 3GPP. ETSI TS 33.210. Network Domain Security (NDS); IP network layer security, 2011.Google Scholar
- T. Alves and D. Felton. Trustzone: Integrated hardware and software security. ARM white paper, 3(4):18--24, 2004.Google Scholar
- J. Arkko, G. Camarillo, A. Niemi, T. Haukka, and V. Torvinen. Security mechanism agreement for the session initiation protocol (SIP), 2003.Google ScholarDigital Library
- J. Beekman and C. Thompson. Breaking Cell Phone Authentication: Vulnerabilities in AKA, IMS, and Android. In WOOT, 2013. Google ScholarDigital Library
- T. Bova and T. Krivoruchka. Reliable UDP protocol. draft-ietf-sigtran-reliable-udp-00.txt, 1999.Google Scholar
- G. Delugre. Reverse engineering a Qualcomm baseband. CCC, 2011.Google Scholar
- W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. In Proceedings of the 12th ACM conference on Computer and communications security, pages 393--404. ACM, 2005. Google ScholarDigital Library
- Ericsson. What is voice over LTE?, January 2013.Google Scholar
- Global mobile Suppliers Association and others. Evolution to LTE report, 2015. {Online; accessed 11-May-2015}.Google Scholar
- Y. Go, E. Jeong, J. Won, Y. Kim, D. F. Kune, and K. Park. Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission. In Proceeding of the Network and Distributed System Security Symposium (NDSS), 2014.Google ScholarCross Ref
- Y. Go, D. F. Kune, S. Woo, K. Park, and Y. Kim. Towards Accurate Accounting of Cellular Data for TCP Retransmission. In Proceedings of the 14th Workshop on Mobile Computing Systems and Applications, page 2. ACM, 2013. Google ScholarDigital Library
- N. Golde, K. Redon, and J.-P. Seifert. Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks. In Proceedings of the 22nd USENIX conference on Security, pages 33--48. USENIX Association, 2013. Google ScholarDigital Library
- GSM Association. Voice and Video calls over LTE. {Online; accessed 14-May-2015}.Google Scholar
- GSM Association. VoLTE Service Description and Implementation Guidelines, Version 1.1, 2014.Google Scholar
- A. Houmansadr, T. J. Riedl, N. Borisov, and A. C. Singer. I want my voice to be heard: IP over Voice-over-IP for Unobservable Censorship Circumvention. In NDSS, 2013.Google Scholar
- IDATE. in World LTE market, 2014. {Online; accessed 11-May-2015}.Google Scholar
- A. Johnston and O. Levin. Session Initiation Protocol (SIP) Call Control-Conferencing for User Agents, 2006.Google ScholarCross Ref
- H. Mohajeri Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. Skypemorph: Protocol Obfuscation for Tor Bridges. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 97--108. ACM, 2012. Google ScholarDigital Library
- C. Mulliner, N. Golde, and J.-P. Seifert. SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In USENIX Security Symposium, 2011. Google ScholarDigital Library
- F. Özavci. VOIP Wars: Return of the SIP, 2013.Google Scholar
- C. Peng, C.-y. Li, G.-H. Tu, S. Lu, and L. Zhang. Mobile Data Charging: New Attacks and Countermeasures. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 195--204. ACM, 2012. Google ScholarDigital Library
- C. Peng, C.-Y. Li, H. Wang, G.-H. Tu, and S. Lu. Real Threats to Your Data Bills: Security Loopholes and Defenses in Mobile Data Charging. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 727--738. ACM, 2014. Google ScholarDigital Library
- C. Peng, G.-h. Tu, C.-y. Li, and S. Lu. Can We Pay for What We Get in 3G Data Access? In Proceedings of the 18th annual international conference on Mobile computing and networking, pages 113--124. ACM, 2012. Google ScholarDigital Library
- Z. Qian, Z. Wang, Q. Xu, Z. M. Mao, M. Zhang, and Y.-M. Wang. You Can Run, but You Can't Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks. In NDSS, 2012.Google Scholar
- J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, et al. SIP: session initiation protocol, 2002.Google ScholarDigital Library
- P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In Proceedings of the 16th ACM conference on Computer and communications security, pages 223--234. ACM, 2009. Google ScholarDigital Library
- P. Traynor, P. McDaniel, T. La Porta, et al. On Attack Causality in Internet-Connected Cellular Networks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 1--16. USENIX Association, 2007. Google ScholarDigital Library
- G.-H. Tu, C. Peng, C.-Y. Li, X. Ma, H. Wang, T. Wang, and S. Lu. Accounting for Roaming Users on Mobile Data Access: Issues and Root Causes. In Proceeding of the 11th annual international conference on Mobile systems, applications, and services, pages 305--318. ACM, 2013. Google ScholarDigital Library
- Q. Wang, X. Gong, G. T. Nguyen, A. Houmansadr, and N. Borisov. Censorspoofer: Asymmetric Communication using Ip Spoofing for Censorship-Resistant Web Browsing. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 121--132. ACM, 2012. Google ScholarDigital Library
- Z. Wang. IMS Security Framework. 3GPP2 S. S0086-B, Version, 2, 2008.Google Scholar
- R. Zhang, X. Wang, R. Farley, X. Yang, and X. Jiang. On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 61--69. ACM, 2009. Google ScholarDigital Library
- R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing Attacks on SIP-Based VoIP Systems. WOOT, 7:1--8, 2007. Google ScholarDigital Library
Index Terms
- Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations
Recommendations
Insecurity of Voice Solution VoLTE in LTE Mobile Networks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityVoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this ...
Solution to Reduce Voice Interruption Time during Handover of VoLTE Call in Enhanced Single Radio Voice Call Continuity
ACCT '15: Proceedings of the 2015 Fifth International Conference on Advanced Computing & Communication TechnologiesLTE network is a packet switched based network, which does not support circuit switched network feature like voice call. Operators have been trying to deploy LTE network in phases and in parallel they are supporting legacy networks too. It is necessary ...
VoLTE*: A Lightweight Voice Solution to 4G LTE Networks
HotMobile '16: Proceedings of the 17th International Workshop on Mobile Computing Systems and ApplicationsVoLTE is the designated voice solution to the LTE network. Its early deployment is ongoing worldwide. In this work, we report an assessment on VoLTE.We show that VoLTE offers no categorically better quality than popular VoIP applications in all tested ...
Comments