Hackers of India

How Secure Are Your VoLTE And VoWiFi Calls?

By  Sreepriya Chalakkal  on 17 Nov 2017 @ Deepsec

Presentation Material

Abstract

Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this talk, we identify five different attacks on VoLTE/VoWiFi.

This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi.As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS.

We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace. We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks.

It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus understanding the attacks and mitigating them is of high relevance.

This is a continuation of the work presented by Schmidt et.al in the talk IMSecure – Attacking VoLTE at Areas41 conference, 2016.

AI Generated Summarymay contain errors

Here is a summarized version of the content:

The speaker demonstrates a replay attack on Voice over LTE (VoLTE) and Voice over Wi-Fi (VoWiFi) networks, which use IPsec for security. They use tools like WireShark and Burp to analyze and manipulate SIP packets, extracting sensitive information like phone numbers, location data, IMEI, and NC values.

The speaker highlights that even with IPsec encryption, the keys are stored on the user’s device, making it vulnerable to injection attacks. They emphasize that relying solely on client-side security is insufficient and propose a server-side approach:

  1. Implement traffic monitoring.
  2. Apply whitelist rules to SIP header fields to detect fuzzing or changes.
  3. Use encryption to protect sensitive data.

In response to an audience question, the speaker notes that even using SIP over TLS would not mitigate these attacks, as the certificate is stored on the client side, making it vulnerable to attacks from within. Therefore, security measures must be implemented on the server-side to prevent injection attacks and ensure robust protection.