The Untold Secrets of WiFi-Calling Services: Vulnerabilities, Attacks, and Countermeasures

Since 2016, all of four major U.S. operators have rolled out Wi-Fi calling services. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrusted Wi-Fi networks and the Internet. This exposure to insecure networks can cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA, IPSec, etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first security study on the operational Wi-Fi calling services in three major U.S. operators networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover three vulnerabilities. By exploiting the vulnerabilities, we devise two proof-of-concept attacks: telephony harassment or denial of voice service and user privacy leakage; both of them can bypass the existing security defenses. We have confirmed their feasibility using real-world experiments, as well as assessed their potential damages and proposed a solution to address all identified vulnerabilities.

[1]  Miguel A. Garcia-Martin Input 3rd-Generation Partnership Project (3GPP) Release 5 Requirements on the Session Initiation Protocol (SIP) , 2005, RFC.

[2]  T. Dagiuklas,et al.  SIP Security Mechanisms : A state-ofthe-art review , 2005 .

[3]  Bill Triggs,et al.  Histograms of oriented gradients for human detection , 2005, 2005 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (CVPR'05).

[4]  S. McGann An Analysis of Security Threats and Tools in SIP-Based VoIP Systems , 2005 .

[5]  Jari Arkko,et al.  Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA) , 2006, RFC.

[6]  Luc Van Gool,et al.  Efficient Non-Maximum Suppression , 2006, 18th International Conference on Pattern Recognition (ICPR'06).

[7]  Costas Lambrinoudakis,et al.  Survey of security vulnerabilities in session initiation protocol , 2006, IEEE Communications Surveys & Tutorials.

[8]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[9]  Patrick C. K. Hung,et al.  Security Issues in VOIP Applications , 2006, 2006 Canadian Conference on Electrical and Computer Engineering.

[10]  Costas Lambrinoudakis,et al.  An ontology description for SIP security flaws , 2007, Comput. Commun..

[11]  Francis Dupont,et al.  Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture , 2007, RFC.

[12]  Haesun Park,et al.  CallRank: Combating SPIT Using Call Duration, Social Networks and Global Reputation , 2007, CEAS.

[13]  Sunny Consolvo,et al.  The Wi-Fi privacy ticker: improving awareness & control of personal information exposure on Wi-Fi , 2010, UbiComp.

[14]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[15]  M. Hagberg,et al.  Mobile phone use and stress, sleep disturbances, and symptoms of depression among young adults - a prospective cohort study , 2011, BMC public health.

[16]  Patrick Traynor,et al.  Improving Authentication Performance of Distributed SIP Proxies , 2011, IEEE Trans. Parallel Distributed Syst..

[17]  Vittorio Murino,et al.  Look at Who's Talking: Voice Activity Detection by Automated Gesture Analysis , 2011, AmI Workshops.

[18]  Mubarak Shah,et al.  UCF101: A Dataset of 101 Human Actions Classes From Videos in The Wild , 2012, ArXiv.

[19]  Jethro G. Beekman,et al.  Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling , 2013 .

[20]  Alex Pentland,et al.  Predicting Personality Using Novel Mobile Phone-Based Metrics , 2013, SBP.

[21]  Yu Cheng,et al.  SIP Flooding Attack Detection with a Multi-Dimensional Sketch Design , 2014, IEEE Transactions on Dependable and Secure Computing.

[22]  Abdul Ghafoor Abbasi,et al.  Security analysis of VoIP architecture for identifying SIP vulnerabilities , 2014, 2014 International Conference on Emerging Technologies (ICET).

[23]  Myungchul Kim,et al.  Run Away If You Can: - Persistent Jamming Attacks against Channel Hopping Wi-Fi Devices in Dense Networks , 2014, RAID.

[24]  Christer Holmberg,et al.  Private Header (P-Header) Extensions to the Session Initiation Protocol (SIP) for the 3GPP , 2014, RFC.

[25]  Xinwen Fu,et al.  On simulation studies of cyber attacks against LTE networks , 2014, 2014 23rd International Conference on Computer Communication and Networks (ICCCN).

[26]  Xinbing Wang,et al.  Insecurity of Voice Solution VoLTE in LTE Mobile Networks , 2015, CCS.

[27]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World , 2015, USENIX Security Symposium.

[28]  Patrick Traynor,et al.  Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Shuai Li,et al.  Demographics inference through Wi-Fi network traffic analysis , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[30]  Georgios Kambourakis,et al.  Intrusion Detection in 802.11 Networks: Empirical Evaluation of Threats and a Public Dataset , 2016, IEEE Communications Surveys & Tutorials.

[31]  Elena Baralis,et al.  MAGMA network behavior classifier for malware traffic , 2016, Comput. Networks.

[32]  Yong Guan,et al.  Voice Pattern Hiding for VoIP Communications , 2016, 2016 25th International Conference on Computer Communication and Networks (ICCCN).

[33]  Shinjo Park,et al.  PRACTICAL ATTACKS ON VOLTE AND VOWIFI , 2017 .

[34]  Peiyun Hu,et al.  Finding Tiny Faces , 2016, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[35]  Anderson Santana de Oliveira,et al.  Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps , 2017, Proc. Priv. Enhancing Technol..

[36]  Xiaoming Liu,et al.  Disentangled Representation Learning GAN for Pose-Invariant Face Recognition , 2017, 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[37]  Patrick Traynor,et al.  AuthentiCall: Efficient Identity and Content Authentication for Phone Calls , 2017, USENIX Security Symposium.

[38]  Mauro Conti,et al.  Don't Skype & Type!: Acoustic Eavesdropping in Voice-Over-IP , 2016, AsiaCCS.

[39]  H. Vincent Poor,et al.  Authenticating Users Through Fine-Grained Channel Information , 2018, IEEE Transactions on Mobile Computing.

[40]  Mohammed Atiquzzaman,et al.  LTE/LTE-A Network Security Data Collection and Analysis for Security Measurement: A Survey , 2018, IEEE Access.

[41]  Patrick Traynor,et al.  Sonar: Detecting SS7 Redirection Attacks with Audio-Based Distance Bounding , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[42]  Mauro Conti,et al.  Robust Smartphone App Identification via Encrypted Network Traffic Analysis , 2017, IEEE Transactions on Information Forensics and Security.

[43]  Golden G. Richard,et al.  Toward a more dependable hybrid analysis of android malware using aspect-oriented programming , 2018, Comput. Secur..

[44]  Guevara Noubir,et al.  My Magnetometer Is Telling You Where I've Been?: A Mobile Device Permissionless Location Attack , 2018, WISEC.

[45]  Roger Piqueras Jover,et al.  The current state of affairs in 5G security and the main remaining security challenges , 2019, ArXiv.

[46]  Joseph W. Mikhail,et al.  A Semi-Boosted Nested Model With Sensitivity-Based Weighted Binarization for Multi-Domain Network Intrusion Detection , 2019, ACM Trans. Intell. Syst. Technol..