Insecurity of Voice Solution VoLTE in LTE Mobile Networks

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

[1]  Jon Peterson,et al.  A Privacy Mechanism for the Session Initiation Protocol (SIP) , 2002, RFC.

[2]  Jethro G. Beekman,et al.  Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling , 2013 .

[3]  Songwu Lu,et al.  How voice call technology poses security threats in 4G LTE networks , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[4]  Li Lin Ying,et al.  Forward Handover for Voice Call Continuity , 2012, 2012 Sixth International Conference on Next Generation Mobile Applications, Services and Technologies.

[5]  Songwu Lu,et al.  Can we pay for what we get in 3G data access? , 2012, Mobicom '12.

[6]  Patrick D. McDaniel,et al.  On Attack Causality in Internet-Connected Cellular Networks , 2007, USENIX Security Symposium.

[7]  F.S. Park,et al.  A security evaluation of IMS deployments , 2008, 2008 2nd International Conference on Internet Multimedia Services Architecture and Applications.

[8]  Eemil Lagerspetz,et al.  The company you keep: mobile malware infection rates and inexpensive risk indicators , 2013, WWW.

[9]  Eunyoung Jeong,et al.  Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission , 2014, NDSS.

[10]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[11]  Songwu Lu,et al.  Mobile data charging: new attacks and countermeasures , 2012, CCS.

[12]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[13]  Xuxian Jiang,et al.  On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers , 2009, ASIACCS '09.

[14]  Mark Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[15]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[16]  Angelina Gkioni,et al.  Voice Over LTE (VoLTE): Service Implementation and Cell Planning Perspective , 2014 .

[17]  Peter Martini,et al.  Detecting VoIP based DoS attacks at the public safety answering point , 2008, ASIACCS '08.

[18]  Patrick Traynor,et al.  MAST: triage for market-scale mobile malware analysis , 2013, WiSec '13.

[19]  Songwu Lu,et al.  Accounting for roaming users on mobile data access: issues and root causes , 2013, MobiSys '13.

[20]  Songwu Lu,et al.  Real Threats to Your Data Bills: Security Loopholes and Defenses in Mobile Data Charging , 2014, CCS.

[21]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[22]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[23]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[24]  Angelos D. Keromytis A Look at VoIP Vulnerabilities , 2010, login Usenix Mag..

[25]  Henning Schulzrinne,et al.  SIP Security , 2009 .

[26]  Geoffrey M. Voelker,et al.  Can you infect me now?: malware propagation in mobile phone networks , 2007, WORM '07.

[27]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[28]  Mark Ryan,et al.  Privacy through Pseudonymity in Mobile Telephony Systems , 2014, NDSS.