Voice over LTE isn't safe, and it takes forever to patch
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
June 15, 2017
Contrary to what some people might think, Voice over LTE (VoLTE) isn't safe at all, because nobody's paying attention to the details. Worse, it seems to take an eternity for the industry to patch its multiple security vulnerabilities.
That's the conclusion in a whitepaper presented to the Symposium on Information and Communications Technology Security in France last week.
Priority 1 Internet Security researchers warn that the vulnerabilities could affect any of the hundred-plus operators using VoLTE on a global basis.
To be sure, VoLTE is the technology that back-ports various voice calls on the IP data-centric 4G standards via the IP Media Subsystem (IMS).
Without it, phones need the ability to fall back to 3G standards to place calls. Phones use the Session Initiation Protocol (SIP) for call signalling, with the Session Description Protocol (SDP) to let the callee know what type of call (for example voice or video) is requested.
It should also be noted that implementations aren't particularly secure. Either on Android handsets, or in wireless carriers' networks.
Some of the more outstanding insecurities outlined by the security researchers include user enumeration using SIP INVITE messages; user spoofing with INVITE messages; a side-channel around data billing systems; IMEI leaks; personal information leaks and a few more issues.
To be sure, not all the attacks are the same and can vary a lot. For example, while traffic eavesdropping (including password sniffing) is feasible, it depends on a compromise of a mobile handset so the attacker can run something like tcpdump, the paper notes.
Additionally, user fingerprinting is possible on a massive scale via scanning of network address blocks to locate vulnerable systems.
SIP OPTIONS response messages would let an attacker fingerprint customers, and on the operator side, both IMS and VoLTE network elements can be fingerprinted as well.
The so-called “free data” security vulnerability goes well beyond what some might think. An attacker can inject traffic into Session Description Protocol (SDP) messages, and it will travel over the network without hitting the billing system.
However, it could also bypass a wireless carrier's lawful intercept infrastructure as well in certain cases.
Additionally, the MSISDN (Mobile Station International Subscriber Directory Number) maps phone numbers to SIM cards and this is what's exploited to spoof a user in a SIP INVITE message.
Rated critical, this security vulnerability means that the person receiving the call would think it comes from the spoofed identity.
It's exactly the kind of attack that can help someone access third parties' voicemail and somewhat depressingly, the security researchers that saw it present in today's VoLTE networks note that it was first disclosed by Hongil Kim and Dongkwan Kim and detailed in a presentation at the Chaos Computer Club's CCC 32 conference earlier this year.
Also rated critical is the ability to localise users based on how their phones' implementation complete the SIP session progress message. The response can include various details of the cell station the callee is connected to, including country, mobile network operator, area code, radio network controller and cell tower ID number.
The paper notes that the security vulnerabilities are repairable. They're down to how operators configure their network, and vendor implementation of network elements and subscriber handsets.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.