Buggy devices and lazy operators make VoLTE a security nightmare

Voice over LTE leaks like a sieve, because nobody's paying attention to the details.

That's the conclusion in a paper (PDF) presented to the Symposium on Information and Communications Technology Security in Rennes, France last week.

The researchers, from Priority 1 Security, warn the vulnerabilities could affect any of the hundred-plus operators using VoLTE worldwide.

VoLTE is the technology that back-ports voice calls onto the IP data-centric 4G standards via the IP Media Subsystem (IMS). Without it, phones need the ability to fall back to 3G standards to place calls. Phones use the Session Initiation Protocol (SIP) for call signalling, with the Session Description Protocol (SDP) to let the callee know what type of call (for example voice or video) is requested.

And, in an entirely unsurprising development, implementations aren't particularly secure – either on Android handsets, or in carriers' networks.

Some of the more outstanding insecurities outlined by the researchers include user enumeration using SIP INVITE messages; user spoofing with INVITE messages; a side-channel around data billing systems; IMEI leaks; personal information leaks and more.

Not all the attacks are simple. For example, the paper notes, while traffic eavesdropping (including password sniffing) is feasible, it depends on a compromise of a handset so the attacker can run something like tcpdump.

User fingerprinting, on the other hand, is possible on a massive scale, the paper claims, via mass scanning of network address blocks to locate vulnerable systems. SIP OPTIONS response messages would let an attacker fingerprint customers, and on the operator side, both IMS and VoLTE network elements can be fingerprinted.

The “free data” vulnerability goes beyond the merely entertaining. An attacker can inject traffic into Session Description Protocol (SDP) messages, and it will travel over the network without hitting the billing system – but it could also bypass a carrier's lawful intercept infrastructure.

MSISDN, the Mobile Station International Subscriber Directory Number, maps phone number to SIM card – and this is what's exploited to spoof a user in a SIP INVITE message.

Rated critical, this vulnerability means the person receiving the call would think it comes from the spoofed identity, so Alice, thinking she's receiving a call from Bob, will answer an attack call from Eve.

So what? It's exactly the kind of attack that can help someone access third parties' voicemail – and somewhat depressingly, the researchers that saw sit present in today's VoLTE networks note that it was first disclosed by Hongil Kim and Dongkwan Kim and detailed in a presentation at the Chaos Computer Club's CCC 32 conference.

Also rated critical is the ability to localise users based on how their phones' implementation completes the SIP session progress message: the response can include details of the cell station the callee is connected to – including country, mobile network operator, area code, radio network controller and cell tower ID.

The paper notes that the vulnerabilities are fixable: they're down to how operators configure their network, and vendor implementation of network elements and subscriber handsets. ®