Hackers of India

Are your VoLTE and VoWiFi calls secure?

By  Sreepriya Chalakkal  on 19 Oct 2017 @ Hacklu

Presentation Material

Abstract

Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this talk, we identify five different attacks on VoLTE/VoWiFi.

This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi. As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS.

We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace.

We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks.

It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus understanding the attacks and mitigating them is of high relevance.

This is a continuation of the work presented by Schmidt et.al in the talk IMSecure – Attacking VoLTE at Areas41 conference, 2016. There is also a reference paper for more information

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discussed their research on sniffing and analyzing packets from various interfaces, , including Volte, (Voice over LTE), Wi-Fi, ICM (IP Multimedia Subsystem) interface, : and EP DG (Evolved Packet Data Gateway) interfaces. They found information leaks such as IMEI and private IP addresses. The speaker wrote a custom parser to extract the IK (Integrity Key) and CK (Confidentiality Key) from the packets.

The speaker also demonstrated a replay attack on SIP (Session Initiation Protocol) packets, sending a fake message by modifying the packet contents. They highlighted the importance of securing IMS (IP Multimedia Subsystem) servers against injection attacks, suggesting mitigation measures such as:

  1. Never trusting user input
  2. Implementing traffic monitoring and deep packet inspection in gateways
  3. Establishing whitelist rules for expected header fields in SIP packets
  4. Encrypting data to prevent fake base stations from accessing sensitive information
  5. Raising user awareness about connecting to suspicious providers

The speaker concluded by inviting questions and discussion.