research-article

Insecurity of Voice Solution VoLTE in LTE Mobile Networks

Authors:

Xinbing WangAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 316 - 327

https://doi.org/10.1145/2810103.2813618

Published: 12 October 2015 Publication History

Abstract

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this work, we conduct the first study on VoLTE security before its full rollout. We discover several vulnerabilities in both its control-plane and data-plane functions, which can be exploited to disrupt both data and voice in operational networks. In particular, we find that the adversary can easily gain free data access, shut down continuing data access, or subdue an ongoing call, etc. We validate these proof-of-concept attacks using commodity smartphones (rooted and unrooted) in two Tier-1 US mobile carriers. Our analysis reveals that, the problems stem from both the device and the network. The device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

References

[1]

"2014: A VoLTE Security Nightmare?". http://tinyurl.com/p4rpm52.

[2]

Decypt ISPEC packets. http://tinyurl.com/ptzurve.

[3]

Network info ii. http://tinyurl.com/baa6jtu.

[4]

Shark for Root. http://tinyurl.com/n7e9ubz.

[5]

Voice over LTE. http://www.gsma.com/technicalprojects/volte.

[6]

RFC 3550: RTP: A Transport Protocol for Real-Time Applications, Jul 2003.

[7]

3GPP. TS23.203: Policy and Charging Control Architecture, 2013.

[8]

3GPP. TS23.107:Quality of Service concept and architecture, 2014.

[9]

3GPP. TS23.228: IP Multimedia Subsystem (IMS);Stage 2, 2014.

[10]

3GPP. TS36.321:E-UTRA; Medium Access Control (MAC) protocol specification, Jan 2015.

[11]

M. Arapinis, L. Mancini, E. Ritter, M. Ryan, N. Golde, K. Redon, and R. Borgaonkar. New Privacy Issues in Mobile Telephony: Fix and Verification. In ACM CCS, 2012.

Digital Library

[12]

M. Arapinis, L. I. Mancini, E. Ritter, and M. Ryan. Privacy through pseudonymity in mobile telephony systems. In NDSS, 2014.

[13]

J. Beekman and C. Thompson. Man-in-the-middle attack on t-mobile wi-fi calling. Technical Report UCB/EECS-2013--18, EECS Department, University of California, Berkeley, Mar 2013.

[14]

S. Chakradeo, B. Reaves, P. Traynor, and W. Enck. MAST: Triage for Market-scale Mobile Malware Analysis. In WiSec, 2013.

Digital Library

[15]

W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. In CCS, 2005.

Digital Library

[16]

C. Fleizach, M. Liljenstam, P. Johansson, G. M. Voelker, and A. Mehes. Can you infect me now?: malware propagation in mobile phone networks. In ACM workshop on Recurring malcode, 2007.

Digital Library

[17]

C. Fuchs, N. Aschenbruck, F. Leder, and P. Martini. Detecting VoIP based DoS Attacks at the Public Safety Answering Point. In ACM ASIACCS, 2008.

Digital Library

[18]

Y. Go, J. Won, D. F. Kune, E. Jeong, Y. Kim, and K. Park. Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission. In NDSS, February 2014.

[19]

A. D. Keromytis. A Look at VoIP Vulnerabilities. Login, 1:41--50, 2010.

[20]

A. P. S. Louvros and A. Gkioni. Voice Over LTE (VoLTE): Service Implementation and Cell Planning Perspective. In System-Level Design Methodologies for Telecommunication, pages 43--62. Springer, 2014.

[21]

N. S. Networks. From Voice over IP to Voice over LTE, 2013. http://tinyurl.com/q79vyu6.

[22]

F. S. Park, D. Patnaik, C. Amrutkar, and M. T. Hunter. A Security Evaluation of IMS Deployments. In IEEE IMSAA, 2008.

[23]

C. Peng, C. Li, G. Tu, S. Lu, and L. Zhang. Mobile Data Charging: New Attacks and Countermeasures. In CCS, Oct. 2012.

Digital Library

[24]

C. Peng, C.-Y. Li, H. Wang, G.-H. Tu, and S. Lu. Real Threats to Your Mobile Data Bills. In ACM CCS, Nov 2014.

[25]

C. Peng, G. Tu, C. Li, and S. Lu. Can We Pay for What We Get in 3G Data Access? In MobiCom, Aug. 2012.

Digital Library

[26]

J. Peterson. RFC 3323: A Privacy Mechanism for the Session Initiation Protocol (SIP), 2002.

Digital Library

[27]

Z. Qian and Z. M. Mao. Off-Path TCP Sequence Number Inference Attack-How Firewall Middleboxes Reduce Security. In S&P, 2012.

Digital Library

[28]

Z. Qian, Z. M. Mao, and Y. Xie. Collaborative TCP Sequence Number Inference Attack: How to Crack Sequence Number under a Second. In ACM CCS, 2012.

Digital Library

[29]

R. Racic, D. Ma, and H. Chen. Exploiting MMS vulnerabilities to stealthily exhaust mobile phone's battery. In SecureComm, 2006.

[30]

RFC3261: SIP: Session Initiation Protocol, June 2002.

[31]

D. Sisalem, J. Floroiu, J. Kuthan, U. Abend, and H. Schulzrinne. SIP security. John Wiley & Sons, 2009.

Digital Library

[32]

P. Traynor, W. Enck, P. McDaniel, and T. L. Porta. Exploiting open functionality in sms-capable cellular networks. Journal of Computer Security, 16:713--742, 2008.

Digital Library

[33]

P. Traynor, P. McDaniel, and T. La Porta. On Attack Causality in Internet-Connected Cellular Networks. In USENIX Security, 2007.

Digital Library

[34]

H. T. T. Truong, E. Lagerspetz, P. Nurmi, A. J. Oliner, S. Tarkoma, N. Asokan, and S. Bhattacharya. The company you keep: Mobile malware infection rates and inexpensive risk indicators. In WWW'14.

Digital Library

[35]

G. Tu, C. Peng, C. Li, X. Ma, H. Wang, T. Wang, and S. Lu. Accounting for roaming users on mobile data access: Issues and root causes. In MobiSys, Jun. 2013.

Digital Library

[36]

G.-H. Tu, C.-Y. Li, C. Peng, and S. Lu. How Voice Call Technology Poses Security Threats in 4G LTE Networks. In IEEE Conference on Communications and Network Security (CNS), September 2015.

[37]

L. L. Ying and S. W. Yuan. Forward handover for voice call continuity. In NGMAST, September 2012.

Digital Library

[38]

R. Zhang, X. Wang, R. Farley, X. Yang, and X. Jiang. On the Feasibility of Launching the Man-In-The-Middle Attacks on VoIP from Remote Attackers. In ACM ASIACCS, 2009.

Digital Library

[39]

Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In IEEE S&P, 2012.

Digital Library

Cited By

Shi JWang SChen MTu GXie TChen MHu YLi CPeng CGanesan DShi W(2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649377
Chen MHu YTu GLi CWang SShi JXie THsu RXiao LPeng CTan ZLu S(2024)Taming the Insecurity of Cellular Emergency Services (9–1-1): From Vulnerabilities to Secure DesignsIEEE/ACM Transactions on Networking10.1109/TNET.2024.337929232:4(3076-3091)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3379292
Wang SXie TChen MTu GLi CLei XChou PHsieh FHu YXiao LPeng C(2024)Dissecting Operational Cellular IoT Service Security: Attacks and DefensesIEEE/ACM Transactions on Networking10.1109/TNET.2023.331355732:2(1229-1244)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3313557
Show More Cited By

Index Terms

Insecurity of Voice Solution VoLTE in LTE Mobile Networks
1. Networks
  1. Network types
    1. Mobile networks
    2. Wireless access networks
2. Security and privacy
  1. Network security

Recommendations

New Security Threats Caused by IMS-based SMS Service in 4G LTE Networks
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the ...
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE ...
Solution to Reduce Voice Interruption Time during Handover of VoLTE Call in Enhanced Single Radio Voice Call Continuity
ACCT '15: Proceedings of the 2015 Fifth International Conference on Advanced Computing & Communication Technologies

LTE network is a packet switched based network, which does not support circuit switched network feature like voice call. Operators have been trying to deploy LTE network in phases and in parallel they are supporting legacy networks too. It is necessary ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

57
Total Citations
View Citations
1,241
Total Downloads

Downloads (Last 12 months)49
Downloads (Last 6 weeks)9

Reflects downloads up to 26 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Shi JWang SChen MTu GXie TChen MHu YLi CPeng CGanesan DShi W(2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649377
Chen MHu YTu GLi CWang SShi JXie THsu RXiao LPeng CTan ZLu S(2024)Taming the Insecurity of Cellular Emergency Services (9–1-1): From Vulnerabilities to Secure DesignsIEEE/ACM Transactions on Networking10.1109/TNET.2024.337929232:4(3076-3091)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3379292
Wang SXie TChen MTu GLi CLei XChou PHsieh FHu YXiao LPeng C(2024)Dissecting Operational Cellular IoT Service Security: Attacks and DefensesIEEE/ACM Transactions on Networking10.1109/TNET.2023.331355732:2(1229-1244)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3313557
Lu YHsiao SLi CHsieh YChou PLi YXie TTu G(2023)Insecurity of Operational IMS Call Systems: Vulnerabilities, Attacks, and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2022.320518331:2(800-815)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3205183
Shi JXie TTu GPeng CLi CHou AWang SHu YLei XChen MXiao LLiu X(2023)When Good Turns Evil: Encrypted 5G/4G Voice Calls Can Leak Your Identities2023 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS59707.2023.10288900(1-9)Online publication date: 2-Oct-2023
https://doi.org/10.1109/CNS59707.2023.10288900
Asmare FAyalew L(2023)Security challenges in the transition to 4G mobile systems in developing countriesCogent Engineering10.1080/23311916.2023.216621410:1Online publication date: 8-Feb-2023
https://doi.org/10.1080/23311916.2023.2166214
Cui ZCui BFu JDong R(2022)Security Threats to Voice Services in 5G Standalone NetworksSecurity and Communication Networks10.1155/2022/73951282022(1-13)Online publication date: 4-Sep-2022
https://doi.org/10.1155/2022/7395128
Ghoshal MKong ZXu QLu ZAggarwal SKhan ILi YHu YKoutsonikolas DAlay OWang Y(2022)An in-depth study of uplink performance of 5G mmWave networksProceedings of the ACM SIGCOMM Workshop on 5G and Beyond Network Measurements, Modeling, and Use Cases10.1145/3538394.3546042(29-35)Online publication date: 22-Aug-2022
https://dl.acm.org/doi/10.1145/3538394.3546042
Zhao JLi QYuan ZZhang ZLu S(2022)5G Messaging: System Insecurity and Defenses2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947238(37-45)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947238
Lin SShi MArora ABassily RBertino ECaramanis CChowdhury KEkici EEryilmaz AIoannidis SJiang NJoshi GKurose JLiang YLin ZLiu JLiu MMelodia TMokhtari ANowak ROh SParthasarathy SPeng CSeferoglu HShroff NShakkottai SSrinivasan KTalwalkar AYener AYing L(2022)Leveraging Synergies Between AI and Networking to Build Next Generation Edge Networks2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC56439.2022.00013(16-25)Online publication date: Dec-2022
https://doi.org/10.1109/CIC56439.2022.00013
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents