The research paper by P1 Security was presented last week in a security conference in France


A team of researchers from security firm P1 Security has detailed a list of flaws in the VoLTE protocol that allows an attacker to spoof anyone’s phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges.

These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device.

Voice over LTE (VoLTE)


VoLTE is a standard for high-speed wireless communication for mobile phones and data terminals, based on the IP Multimedia Subsystem network.

With VoLTE the voice service being delivered as data flows within the LTE data bearer, without dependency on the legacy circuit-switched voice network to be maintained.


The vulnerabilities

Researchers divide vulnerabilities into “active”, that require modifying special SIP packets, and “passive” that expose data via passive network monitoring or do not require any SIP packet modification.

Below a brief list of the flaws discovered (for extended information please refers to links in ‘Reference’ section, at the end of the post):

User enumeration

SIP INVITE messages are exchanged when phone calls via VoLTE are initiated and passes through all the mobile networking equipment that supports the call: an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.

Free data channel over SDP

This flaw allows a VoLTE customer to exchange data (phone calls, SMS, mobile data) via VoLTE networks without initiating the CDR module, responsible for billing.

P1 team discovers a method that using SIP and SDP messages to create unmonitored data tunnels in VoLTE networks: it allows possible crime suspects a way to create covert data communications channels.

User identity spoofing

Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller’s identity at face value, so an attacker can modify certain headers in SIP INVITE messages and place calls using another user’s MSISDN (phone number).

VoLTE equipment fingerprinting and topology discovery

This vulnerability allows an attacker to fingerprint network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone.

Leak of the victim’s IMEI

Watching VoLTE traffic on an Android that’s initiating a call, researchers discovered that intermediary messages exchanged before establishing a connection reveal information about the caller IMEI number.

Leak of the victim’s personal information

Similarly to the attack above, researchers also discovered that the same SIP messages can also leak more detailed information about victims: attackers could initiate shadow calls, detect the victim’s approximate location, and hang up before the phone call is established.


References

The paper

https://www.sstic.org/media/SSTIC2017/SSTIC-actes/remote_geolocation_and_tracing_of_subscribers_usin/SSTIC2017-Article-remote_geolocation_and_tracing_of_subscribers_using_4g_volte_android_phone-le-moal_ventuzelo_coudray.pdf