Presentation Material
Abstract
In this talk, we will be throwing light on a critical security vulnerability that has been discovered in the Voice over LTE (VoLTE) interface of iOS devices , including iPhones and Apple Watches reported to apple and fixed. This vulnerability has been present in the iOS operating system since the inception of 4G VoLTE, and we will shed light on the issue, its root cause, and how it arises due to improper implementation of GSMA guidelines, highlighting a design flaw in the implementation of the iOS IMS SIP agent.
We will delve into the technical details of the vulnerability, providing a comprehensive analysis of its impact on iOS devices and the potential risks it poses to users’ privacy and security. We will also explore the challenges faced during the discovery and disclosure of the vulnerability to Apple and discuss the response and mitigation measures taken by the company.
Furthermore, we will discuss the lessons learned from this vulnerability, highlighting the importance of adhering to industry standards and best practices in the implementation of communication protocols. We will also provide recommendations for improving the security of VoLTE interfaces in iOS devices and similar systems.
This talk is a must-attend for security researchers, mobile device manufacturers, network operators, and anyone interested in understanding the intricacies of VoLTE security and the implications of design flaws in the implementation of communication protocols in iOS devices. Join us as we uncover the details of this critical security issue and discuss its implications for the iOS ecosystem.
AI Generated Summary
This presentation details the discovery and analysis of a critical vulnerability in Apple’s Voice over LTE (VoLTE) implementation affecting iOS devices, including iPhones, Apple Watches, and iPads. The flaw resided in the libIPTelephony library, which failed to properly terminate the Session Initiation Protocol (SIP) listening port (5060) on the user equipment after establishing the mandatory IPsec tunnel with the operator’s IMS core network.
In a correctly implemented VoLTE stack, as observed on Android devices, the SIP port should close once the encrypted tunnel is active, preventing direct external signaling. iOS devices, however, kept port 5060 open, allowing a privileged attacker positioned within the same telecom network to bypass the IMS core’s security controls. By scanning for this open port, an attacker could directly target iOS devices with malformed SIP packets. This enabled the enumeration of millions of devices, disclosing sensitive personally identifiable information (PII) including phone numbers (MSISDN), location data, and precise iOS version and patch level. Furthermore, the attack facilitated spoofed call initiation to any targeted device, causing denial-of-service, network congestion, and potential large-scale disruption.
The root cause was a deviation from 3GPP specifications for VoLTE registration. Apple addressed the issue in iOS 15.2 by ensuring the IMS TCP socket is terminated upon IPsec tunnel establishment. The vulnerability had existed since VoLTE’s introduction on iOS in 2017 and required over a year for remediation after reporting in March 2021. The primary mitigation for operators is strict network segmentation to isolate signaling (control plane) from user data traffic at the Packet Gateway.