Accidental homicide: how VoLTE kills old style call accounting
It's all data, all the way down, so tracking voice sessions gets tedious, fast. And dangerous
Korean and US telco researchers have sounded what's probably the first death-knell of voice calls, demonstrating a variety of problems – some fundamental – with how Voice-over-LTE (VoLTE) works.
The problems, which we'll describe in more detail below, include denial-of-service vectors, over-billing risks, and ways for users to game the network for free calls.
The basic problem is that VoLTE abandons the legacy cellular network model of dedicated voice and data channels. Instead, voice is a SIP-based (session initiation protocol) application carried on the plentiful (in LTE) data channel.
The carriers that Hongil Kim of Korean institute KAIST and collaborators from KAIST and Georgia Tech studied were in Korea and not named, but in their paper they warn other operators could be making similar mistakes in their VoLTE implementations.
The problems all arise in how the voice application interacts with session initiation protocol (SIP). Under VoLTE, the voice application is handled by a phone's application processor instead of being a couple of basic commands on the baseband processor. From the paper "A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel."
It's obvious, really: since VoLTE runs as an application, it's trivial to write a voice application to run on an LTE mobile – and that means any mistake the operator makes can be exploited by a malicious application. Here are the kinds of attacks the boffins demonstrated:
Call accounting: While carrying voice as in-band data traffic, carriers still hope to retain traditional call accounting for voice calls.
The researchers found that carriers' SIP applications started timing a call when the server gets an OK (200) from the handset answering the call.
That makes getting free calls a cinch: modify the voice application so the server doesn't see the message (for example, by sending the message directly to the caller's IP address instead of back to the server).
Alternatively, a malicious client could manipulate the QoS parameters requested for voice calls, get a nice fat channel, and bypass data-traffic counters by using a voice call to carry data.
"Note that the above potentially free data channels could be easily blocked or detected by SIP network flow analysis. However, what if an adversary embeds the data in the media session? Detecting this requires significant implementation effort, as the carrier needs to check if the data in the media session are voice or not," the paper states.
Android's permission model: The researchers say Android's permission model is at odds with VoLTE, because it can't distinguish SIP messages from any other data.
That leaves users open to a variety of possible attacks:
- It's easy to make the voice application place calls from a phone without alerting the user. That's got all sorts of malware possibilities: for example, infecting a phone so it quietly places calls to premium numbers.
- Because SIP is just data, there's no need to place calls through the operator's SIP server: instead, users can just set up peer-to-peer SIP sessions to bypass call accounting.
- If SIP servers don't authenticate messages properly, phone numbers can be spoofed, creating some pretty juicy fraud opportunities.
- Bad session management in SIP servers – for example, allowing one application to call lots of numbers simultaneously – leaves networks open to control-plane denial-of-service attacks.
While the researchers discuss countermeasures for the particular vulnerabilities they found, The Register notes that the most serious fundamental issue, Android's permissions model, is a very tough nut to crack.
Merely locking down the voice application on an Android phone isn't enough, since the user still has all of the permissions the phone offers. Even without "rooting" the phone, anyone can write an application to send data packets to any other IP address.
To The Register, it looks a lot like the IP-all-the-way-down architecture of LTE is going to be the thing that kills voice calls as a revenue source for telcos.
At some point, carriers will find it costs too much to plug every hole that emerges, just so they can keep collecting a few cents per minute for voice calls. Better, in the long run, to sell data pipes to mobile users and bid a fond farewell to the old model. ®