research-article

Open access

VWAnalyzer: A Systematic Security Analysis Framework for the Voice over WiFi Protocol

Authors:

Elisa BertinoAuthors Info & Claims

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Pages 182 - 195

https://doi.org/10.1145/3488932.3517425

Published: 30 May 2022 Publication History

Abstract

In this paper, we evaluate the security of the Voice over WiFi (VoWiFi) protocol by proposing the VWAnalyzer framework. We model five critical procedures of the VoWiFi protocol and deploy a model-based testing approach to uncover potential design flaws. Since the standards of the VoWiFi protocol contain underspecifications that can lead to vulnerable scenarios, VWAnalyzer explicitly deals with them. Unlike prior approaches that do not consider the underspecifications, VWAnalyzer adopts a systematic approach that constructs diverse and viable scenarios based on the underspecifications and substantially reduces the number of possible scenarios. Then the scenarios are verified against security properties. VWAnalyzer automatically generates 960 viable scenarios to be analyzed among 10,368 scenarios (91% decrease) from the initial models. We demonstrate the effectiveness of VWAnalyzer by verifying 38 properties and uncovering 3 new attacks. Notable among our findings is the denial-of-cellular-connectivity attack, due to insecure handover that disconnects the user through both VoWiFi and VoLTE. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated the attacks in a real-world testbed. We also report several implementations issues that were uncovered during the testbed evaluation.

Supplementary Material

MP4 File (ASIA-CCS22-fp406.mp4)

Presentation video of "VWAnalyzer: A Systematic Security Analysis Framework for the Voice over WiFi Protocol"

Download
69.85 MB

References

[1]

3GPP TS 23.003. 2013. Numbering, addressing and identification Release 17. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=729. (Accessed on 07/14/2021).

[2]

3GPP TS 23.402. 2019. Architecture enhancements for non-3GPP accesses Release 16. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=850. (Accessed on 07/21/2021).

[3]

3GPP TS 24.301. 2019. Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=1072. (Accessed on 03/06/2022).

[4]

3GPP TS 33.402. 2020. Security aspects of non-3GPP accesses Release 16. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=2297. (Accessed on 07/17/2021).

[5]

3GPP TS 36.523--1. 2021. Evolved Universal Terrestrial Radio Access (E-UTRA) and Evolved Packet Core (EPC); User Equipment (UE) conformance specification; Part 1: Protocol conformance specification Release 16. https://www.etsi.org/deliver/etsi_ts/136500_136599/13652301/16.08.00_60/ts_13652301v160800p.pdf. (Accessed on 07/20/2021).

[6]

3GPP. 2020. Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks; Stage 3 (Release 17). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=1073. (Accessed on 07/07/2021).

[7]

3GPP. 2021. IP Multimedia Subsystem (IMS); Stage 2. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx'specificationId=821. (Accessed on 07/08/2021).

[8]

Mayank Agarwal, Santosh Biswas, and Sukumar Nandi. 2018. An efficient scheme to detect evil twin rogue access point attack in 802.11 Wi-Fi networks. International Journal of Wireless Information Networks, Vol. 25, 2 (2018), 130--145.

[9]

J Arkko and H Haverinen. 2006. Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA). https://datatracker.ietf.org/doc/html/rfc4187. (Accessed on 07/08/2021).

[10]

IEEE Standards Association et almbox. 2007. IEEE 802.11i-2004 - IEEE Standard for information technology-Telecommunications and information exchange between systems-Local and metropolitan area networks-Specific requirements-Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements. https://standards.ieee.org/standard/802_11i-2004.html. (Accessed on 07/08/2021).

[11]

Jaejong Baek, Sukwha Kyung, Haehyun Cho, Ziming Zhao, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn. 2018. Wi not calling: Practical privacy and availability Attacks in Wi-Fi calling. In Proceedings of the 34th Annual Computer Security Applications Conference. 278--288.

Digital Library

[12]

David Basin, Jannik Dreier, Lucca Hirschi, Savsa Radomirovic, Ralf Sasse, and Vincent Stettler. 2018a. A Formal Analysis of 5G Authentication. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 1383--1396. https://doi.org/10.1145/3243734.3243846

Digital Library

[13]

David Basin, Jannik Dreier, Lucca Hirschi, Savs a Radomirovic, Ralf Sasse, and Vincent Stettler. 2018b. A formal analysis of 5G authentication. In Proceedings of the 2018 ACM SIGSAC conference on computer and communications security. 1383--1396.

Digital Library

[14]

Roberto Cavada, Alessandro Cimatti, Michele Dorigatti, Alberto Griggio, Alessandro Mariotti, Andrea Micheli, Sergio Mover, Marco Roveri, and Stefano Tonetta. 2014. The nuXmv symbolic model checker. In International Conference on Computer Aided Verification. Springer, 334--342.

Digital Library

[15]

Cisco. 2019. Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2017--2022. https://s3.amazonaws.com/media.mediapost.com/uploads/CiscoForecast.pdf. (Accessed on 07/08/2021).

[16]

Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-guided abstraction refinement. In International Conference on Computer Aided Verification. Springer, 154--169.

[17]

C. Cremers and Martin Dehnel-Wild. 2019. Component-Based Formal Analysis of 5G-AKA: Channel Assumptions and Session Confusion. In 26th Annual Network and Distributed System Security Symposium, NDSS 2019, San Diego, California, USA, February 24-27, 2019. https://doi.org/10.14722/ndss.2019.23394

[18]

Danny Dolev and Andrew C. Yao. 1983. On the security of public key protocols. IEEE Transactions on information theory, Vol. 29, 2 (1983), 198--208.

Digital Library

[19]

John Ellson, Emden R Gansner, Eleftherios Koutsofios, Stephen C North, and Gordon Woodhull. 2004. Graphviz and dynagraph-static and dynamic graph drawing tools. In Graph drawing software. Springer, 127--148.

[20]

Pasi Eronen, H Tschofenig, and Y Sheffer. 2010. An Extension for EAP-Only Authentication in IKEv2. https://datatracker.ietf.org/doc/html/rfc5998. (Accessed on 07/16/2021).

[21]

Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A systematic approach for adversarial testing of 4G LTE. In Network and Distributed Systems Security (NDSS) Symposium 2018.

[22]

Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, and Elisa Bertino. 2019. 5GReasoner: A property-directed security and privacy analysis framework for 5G cellular network protocol. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 669--684.

Digital Library

[23]

Ari Huttunen, Brian Swander, Victor Volpe, Larry DiBurro, and Markus Stenberg. 2005. UDP encapsulation of IPsec ESP packets. https://datatracker.ietf.org/doc/html/rfc3948. (Accessed on 07/08/2021).

[24]

P&S Intelligence. 2020. VoWiFi (Voice Over Wi-Fi) Market Research Report: By Voice Client, Technology, Architecture, Device Type, End User - Global Industry Analysis and Growth Forecast to 2030. https://www.psmarketresearch.com/market-analysis/voice-over-wifi-vowifi-market. (Accessed on 07/08/2021).

[25]

A Johnston, S Donovan, R Sparks, C Cunningham, and K Summers. 2003. Session Initiation Protocol (SIP) Basic Call Flow Examples. https://datatracker.ietf.org/doc/html/rfc3665. (Accessed on 07/08/2021).

[26]

Imtiaz Karim, Syed Rafiul Hussain, and Elisa Bertino. 2021. ProChecker: An Automated Security and Privacy Analysis Framework for 4G LTE Protocol Implementations. In 2021 IEEE 41th International Conference on Distributed Computing Systems (ICDCS). IEEE.

[27]

Charlie Kaufman, Paul Hoffman, Yoav Nir, Pasi Eronen, and Tero Kivinen. 2010. Internet key exchange protocol version 2 (IKEv2). https://datatracker.ietf.org/doc/html/rfc5996. (Accessed on 07/08/2021).

[28]

S Kent. 2005. IP Encapsulating Security Payload (ESP). https://datatracker.ietf.org/doc/html/rfc4303. (Accessed on 07/08/2021).

[29]

S. Kent and K. Seo. 2005. Security Architecture for the Internet Protocol. https://datatracker.ietf.org/doc/html/rfc4301. (Accessed on 07/08/2021).

[30]

Hongil Kim, Jiho Lee, Eunkyu Lee, and Yongdae Kim. 2019. Touching the untouchables: Dynamic security analysis of the LTE control plane. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1153--1168.

[31]

Joonhee Lee, Hyunwoo Lee, Jongheon Jeong, Doowon Kim, and Ted Taekyoung Kwon. 2021. Analyzing Spatial Differences in the TLS Security of Delegated Web Services. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 475--487.

Digital Library

[32]

Yu-Han Lu, Chi-Yu Li, Yao-Yu Li, Sandy Hsin-Yu Hsiao, Tian Xie, Guan-Hua Tu, and Wei-Xun Chen. 2020. Ghost calls from operational 4G call systems: IMS vulnerability, call DoS attack, and countermeasure. In Proceedings of the 26th Annual International Conference on Mobile Computing and Networking. 1--14.

Digital Library

[33]

Simon Meier, Benedikt Schmidt, Cas Cremers, and David Basin. 2013. The TAMARIN prover for the symbolic analysis of security protocols. In International Conference on Computer Aided Verification. Springer, 696--701.

[34]

Diogo Mónica and Carlos Ribeiro. 2011. Wifihop-mitigating the evil twin attack through multi-hop detection. In European Symposium on Research in Computer Security. Springer, 21--39.

[35]

Chunyi Peng, Chi-Yu Li, Hongyi Wang, Guan-Hua Tu, and Songwu Lu. 2014. Real threats to your data bills: Security loopholes and defenses in mobile data charging. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 727--738.

Digital Library

[36]

Jonathan Rosenberg, Henning Schulzrinne, Gonzalo Camarillo, Alan Johnston, Jon Peterson, Robert Sparks, Mark Handley, and Eve Schooler. 2002. SIP: Session Initiation Protocol. https://datatracker.ietf.org/doc/html/rfc3261. (Accessed on 07/08/2021).

[37]

Daehyun Strobel. 2007. IMSI catcher. Chair for Communication Security, Ruhr-Universität Bochum, Vol. 14 (2007).

[38]

Tian Xie, Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, Jiawei Li, and Mi Zhang. 2018. The dark side of operational Wi-Fi calling services. In 2018 IEEE Conference on Communications and Network Security (CNS). IEEE, 1--1.

Cited By

Bhatti DSidrat SSaleem SMalik ASuh BKim KLee K(2024)Performance analysis: Securing SIP on multi-threaded/multi-core proxy server using public keys on Diffie–Hellman (DH) in single and multi-server queuing scenariosPLOS ONE10.1371/journal.pone.029362619:1(e0293626)Online publication date: 25-Jan-2024
https://doi.org/10.1371/journal.pone.0293626
Gegenhuber GFrenzel PWeippl EOkoshi TKo JLiKamWa R(2024)Why E.T. Can’t Phone Home: A Global View on IP-based Geoblocking at VoWiFiProceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services10.1145/3643832.3661883(183-195)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3643832.3661883
Yang JWang Y(2024)Dependency-Graph Enabled Formal Analysis for 5G AKA Protocols: Assumption Propagation and VerificationICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622353(715-721)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622353
Show More Cited By

Index Terms

VWAnalyzer: A Systematic Security Analysis Framework for the Voice over WiFi Protocol
1. Security and privacy
  1. Network security
    1. Mobile and wireless security

Recommendations

A big data analytics approach to combat telecommunication vulnerabilities

Both the telecommunication networks and the mobile communication networks are using the Signaling System No. 7 (SS7) as the nervous system. It allows mobile users to communicate using SMS and phone calls, manage billing for operators and much more. ...
A vulnerability in the UMTS and LTE authentication and key agreement protocols
MMM-ACNS'12: Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security

We report on a deficiency in the specifications of the Authentication and Key Agreement (AKA) protocols of the Universal Mobile Telecommunications System (UMTS) and Long-Term Evolution (LTE) as well as the specification of the GSM Subscriber Identity ...
Efficient password-authenticated key exchange for three-party secure against undetectable on-line dictionary attacks
ICCS'06: Proceedings of the 6th international conference on Computational Science - Volume Part I

A password-authenticated key exchange (PAKE) protocol in the three-party setting allows two users communicating over a public network to agree on a common session key by the help of a server. In the setting the users do not share a password between ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

May 2022

1291 pages

ISBN:9781450391405

DOI:10.1145/3488932

General Chairs:
Yuji Suga
Internet Initiative Japan Inc., Japan
,
Kouichi Sakurai
Kyushu University, Japan
,
Program Chairs:
Xuhua Ding
Singapore Management University, Singapore
,
Kazue Sako
Waseda University, Japan

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 May 2022

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation (NSF)

Conference

ASIA CCS '22

Sponsor:

SIGSAC

ASIA CCS '22: ACM Asia Conference on Computer and Communications Security

May 30 - June 3, 2022

Nagasaki, Japan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
470
Total Downloads

Downloads (Last 12 months)162
Downloads (Last 6 weeks)28

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bhatti DSidrat SSaleem SMalik ASuh BKim KLee K(2024)Performance analysis: Securing SIP on multi-threaded/multi-core proxy server using public keys on Diffie–Hellman (DH) in single and multi-server queuing scenariosPLOS ONE10.1371/journal.pone.029362619:1(e0293626)Online publication date: 25-Jan-2024
https://doi.org/10.1371/journal.pone.0293626
Gegenhuber GFrenzel PWeippl EOkoshi TKo JLiKamWa R(2024)Why E.T. Can’t Phone Home: A Global View on IP-based Geoblocking at VoWiFiProceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services10.1145/3643832.3661883(183-195)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3643832.3661883
Yang JWang Y(2024)Dependency-Graph Enabled Formal Analysis for 5G AKA Protocols: Assumption Propagation and VerificationICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622353(715-721)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622353
Mondal DThangarasu NM PIngle YSaxena AKumar J(2023)Investigating the Effectiveness of Internet Key Exchange (IKE) Protocol in Wireless Network Security2023 3rd International Conference on Smart Generation Computing, Communication and Networking (SMART GENCON)10.1109/SMARTGENCON60755.2023.10441857(1-5)Online publication date: 29-Dec-2023
https://doi.org/10.1109/SMARTGENCON60755.2023.10441857
Verma DSingh VN BShree RMinhas DYuvaraj S(2023)An Analysis of Encapsulating Security Payload in Wireless Network Security2023 International Conference on Emerging Research in Computational Science (ICERCS)10.1109/ICERCS57948.2023.10433980(1-6)Online publication date: 7-Dec-2023
https://doi.org/10.1109/ICERCS57948.2023.10433980
Lin SShi MArora ABassily RBertino ECaramanis CChowdhury KEkici EEryilmaz AIoannidis SJiang NJoshi GKurose JLiang YLin ZLiu JLiu MMelodia TMokhtari ANowak ROh SParthasarathy SPeng CSeferoglu HShroff NShakkottai SSrinivasan KTalwalkar AYener AYing L(2022)Leveraging Synergies Between AI and Networking to Build Next Generation Edge Networks2022 IEEE 8th International Conference on Collaboration and Internet Computing (CIC)10.1109/CIC56439.2022.00013(16-25)Online publication date: Dec-2022
https://doi.org/10.1109/CIC56439.2022.00013

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents