Hackers of India

Are your VoLTE and VoWiFi calls secure?

 Sreepriya Chalakkal 



Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this talk, we identify five different attacks on VoLTE/VoWiFi.

This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi. As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS.

We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace.

We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks.

It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus understanding the attacks and mitigating them is of high relevance.

This is a continuation of the work presented by Schmidt et.al in the talk IMSecure – Attacking VoLTE at Areas41 conference, 2016. There is also a reference paper for more information