research-article

Public Access

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations

Authors:

Yongdae KimAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 328 - 339

https://doi.org/10.1145/2810103.2813718

Published: 12 October 2015 Publication History

Abstract

Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE), which dramatically changes how voice calls are handled, both from user equipment and infrastructure perspectives. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis.

Unlike the traditional call setup, the VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over the AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platforms, and the core network.

References

[1]

3GPP. ETSI TS 23.203. Policy and charging control architecture, 2012.

[2]

3GPP. ETSI TS 23.221. Architectural requirements, 2011.

[3]

3GPP. ETSI TS 23.228. IP Multimedia Subsystem (IMS) Stage 2, 2011.

[4]

3GPP. ETSI TS 33.203. Access security for IP-based services, 2011.

[5]

3GPP. ETSI TS 33.210. Network Domain Security (NDS); IP network layer security, 2011.

[6]

T. Alves and D. Felton. Trustzone: Integrated hardware and software security. ARM white paper, 3(4):18--24, 2004.

[7]

J. Arkko, G. Camarillo, A. Niemi, T. Haukka, and V. Torvinen. Security mechanism agreement for the session initiation protocol (SIP), 2003.

Digital Library

[8]

J. Beekman and C. Thompson. Breaking Cell Phone Authentication: Vulnerabilities in AKA, IMS, and Android. In WOOT, 2013.

Digital Library

[9]

T. Bova and T. Krivoruchka. Reliable UDP protocol. draft-ietf-sigtran-reliable-udp-00.txt, 1999.

[10]

G. Delugre. Reverse engineering a Qualcomm baseband. CCC, 2011.

[11]

W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting Open Functionality in SMS-Capable Cellular Networks. In Proceedings of the 12th ACM conference on Computer and communications security, pages 393--404. ACM, 2005.

Digital Library

[12]

Ericsson. What is voice over LTE?, January 2013.

[13]

Global mobile Suppliers Association and others. Evolution to LTE report, 2015. {Online; accessed 11-May-2015}.

[14]

Y. Go, E. Jeong, J. Won, Y. Kim, D. F. Kune, and K. Park. Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission. In Proceeding of the Network and Distributed System Security Symposium (NDSS), 2014.

[15]

Y. Go, D. F. Kune, S. Woo, K. Park, and Y. Kim. Towards Accurate Accounting of Cellular Data for TCP Retransmission. In Proceedings of the 14th Workshop on Mobile Computing Systems and Applications, page 2. ACM, 2013.

Digital Library

[16]

N. Golde, K. Redon, and J.-P. Seifert. Let Me Answer That for You: Exploiting Broadcast Information in Cellular Networks. In Proceedings of the 22nd USENIX conference on Security, pages 33--48. USENIX Association, 2013.

Digital Library

[17]

GSM Association. Voice and Video calls over LTE. {Online; accessed 14-May-2015}.

[18]

GSM Association. VoLTE Service Description and Implementation Guidelines, Version 1.1, 2014.

[19]

A. Houmansadr, T. J. Riedl, N. Borisov, and A. C. Singer. I want my voice to be heard: IP over Voice-over-IP for Unobservable Censorship Circumvention. In NDSS, 2013.

[20]

IDATE. in World LTE market, 2014. {Online; accessed 11-May-2015}.

[21]

A. Johnston and O. Levin. Session Initiation Protocol (SIP) Call Control-Conferencing for User Agents, 2006.

[22]

H. Mohajeri Moghaddam, B. Li, M. Derakhshani, and I. Goldberg. Skypemorph: Protocol Obfuscation for Tor Bridges. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 97--108. ACM, 2012.

Digital Library

[23]

C. Mulliner, N. Golde, and J.-P. Seifert. SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In USENIX Security Symposium, 2011.

Digital Library

[24]

F. Özavci. VOIP Wars: Return of the SIP, 2013.

[25]

C. Peng, C.-y. Li, G.-H. Tu, S. Lu, and L. Zhang. Mobile Data Charging: New Attacks and Countermeasures. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 195--204. ACM, 2012.

Digital Library

[26]

C. Peng, C.-Y. Li, H. Wang, G.-H. Tu, and S. Lu. Real Threats to Your Data Bills: Security Loopholes and Defenses in Mobile Data Charging. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 727--738. ACM, 2014.

Digital Library

[27]

C. Peng, G.-h. Tu, C.-y. Li, and S. Lu. Can We Pay for What We Get in 3G Data Access? In Proceedings of the 18th annual international conference on Mobile computing and networking, pages 113--124. ACM, 2012.

Digital Library

[28]

Z. Qian, Z. Wang, Q. Xu, Z. M. Mao, M. Zhang, and Y.-M. Wang. You Can Run, but You Can't Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks. In NDSS, 2012.

[29]

J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, E. Schooler, et al. SIP: session initiation protocol, 2002.

Digital Library

[30]

P. Traynor, M. Lin, M. Ongtang, V. Rao, T. Jaeger, P. McDaniel, and T. La Porta. On Cellular Botnets: Measuring the Impact of Malicious Devices on a Cellular Network Core. In Proceedings of the 16th ACM conference on Computer and communications security, pages 223--234. ACM, 2009.

Digital Library

[31]

P. Traynor, P. McDaniel, T. La Porta, et al. On Attack Causality in Internet-Connected Cellular Networks. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pages 1--16. USENIX Association, 2007.

Digital Library

[32]

G.-H. Tu, C. Peng, C.-Y. Li, X. Ma, H. Wang, T. Wang, and S. Lu. Accounting for Roaming Users on Mobile Data Access: Issues and Root Causes. In Proceeding of the 11th annual international conference on Mobile systems, applications, and services, pages 305--318. ACM, 2013.

Digital Library

[33]

Q. Wang, X. Gong, G. T. Nguyen, A. Houmansadr, and N. Borisov. Censorspoofer: Asymmetric Communication using Ip Spoofing for Censorship-Resistant Web Browsing. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 121--132. ACM, 2012.

Digital Library

[34]

Z. Wang. IMS Security Framework. 3GPP2 S. S0086-B, Version, 2, 2008.

[35]

R. Zhang, X. Wang, R. Farley, X. Yang, and X. Jiang. On the feasibility of launching the man-in-the-middle attacks on VoIP from remote attackers. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 61--69. ACM, 2009.

Digital Library

[36]

R. Zhang, X. Wang, X. Yang, and X. Jiang. Billing Attacks on SIP-Based VoIP Systems. WOOT, 7:1--8, 2007.

Digital Library

Cited By

Cui ZCui BXu JFu J(2025)A Systematic Security Analysis for Beyond 5G Non-Access Stratum Protocol from the Perspective of Network CoexistenceInformation Systems Frontiers10.1007/s10796-025-10586-2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10796-025-10586-2
Gegenhuber GFrenzel PWeippl EOkoshi TKo JLiKamWa R(2024)Why E.T. Can’t Phone Home: A Global View on IP-based Geoblocking at VoWiFiProceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services10.1145/3643832.3661883(183-195)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3643832.3661883
Shi JWang SChen MTu GXie TChen MHu YLi CPeng CGanesan DShi W(2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649377
Show More Cited By

Index Terms

Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations
1. Networks
  1. Network types
    1. Mobile networks
    2. Wireless access networks
2. Security and privacy
  1. Network security

Recommendations

Insecurity of Voice Solution VoLTE in LTE Mobile Networks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

VoLTE (Voice-over-LTE) is the designated voice solution to the LTE mobile network, and its worldwide deployment is underway. It reshapes call services from the traditional circuit-switched telecom telephony to the packet-switched Internet VoIP. In this ...
Solution to Reduce Voice Interruption Time during Handover of VoLTE Call in Enhanced Single Radio Voice Call Continuity
ACCT '15: Proceedings of the 2015 Fifth International Conference on Advanced Computing & Communication Technologies

LTE network is a packet switched based network, which does not support circuit switched network feature like voice call. Operators have been trying to deploy LTE network in phases and in parallel they are supporting legacy networks too. It is necessary ...
VoLTE*: A Lightweight Voice Solution to 4G LTE Networks
HotMobile '16: Proceedings of the 17th International Workshop on Mobile Computing Systems and Applications

VoLTE is the designated voice solution to the LTE network. Its early deployment is ongoing worldwide. In this work, we report an assessment on VoLTE.We show that VoLTE offers no categorically better quality than popular VoIP applications in all tested ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
5,144
Total Downloads

Downloads (Last 12 months)387
Downloads (Last 6 weeks)58

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cui ZCui BXu JFu J(2025)A Systematic Security Analysis for Beyond 5G Non-Access Stratum Protocol from the Perspective of Network CoexistenceInformation Systems Frontiers10.1007/s10796-025-10586-2Online publication date: 18-Feb-2025
https://doi.org/10.1007/s10796-025-10586-2
Gegenhuber GFrenzel PWeippl EOkoshi TKo JLiKamWa R(2024)Why E.T. Can’t Phone Home: A Global View on IP-based Geoblocking at VoWiFiProceedings of the 22nd Annual International Conference on Mobile Systems, Applications and Services10.1145/3643832.3661883(183-195)Online publication date: 3-Jun-2024
https://dl.acm.org/doi/10.1145/3643832.3661883
Shi JWang SChen MTu GXie TChen MHu YLi CPeng CGanesan DShi W(2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
https://dl.acm.org/doi/10.1145/3636534.3649377
Wang SXie TChen MTu GLi CLei XChou PHsieh FHu YXiao LPeng C(2024)Dissecting Operational Cellular IoT Service Security: Attacks and DefensesIEEE/ACM Transactions on Networking10.1109/TNET.2023.331355732:2(1229-1244)Online publication date: Apr-2024
https://doi.org/10.1109/TNET.2023.3313557
Du CYu HXiao YHou YKeromytis ALou WCalandrino JTroncoso C(2023)UCBlockerProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620263(445-462)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620263
Lu YHsiao SLi CHsieh YChou PLi YXie TTu G(2023)Insecurity of Operational IMS Call Systems: Vulnerabilities, Attacks, and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2022.320518331:2(800-815)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3205183
Caldwell SZhu YGuan YBettati R(2023)On Account Association With Assistance From Mobile NetworksIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.319079520:4(3421-3433)Online publication date: 1-Jul-2023
https://doi.org/10.1109/TDSC.2022.3190795
Cui ZCui BFu JDong R(2022)Security Threats to Voice Services in 5G Standalone NetworksSecurity and Communication Networks10.1155/2022/73951282022(1-13)Online publication date: 4-Sep-2022
https://doi.org/10.1155/2022/7395128
Bitsikas EPöpper C(2022)You have been warned: Abusing 5G’s Warning and Emergency SystemsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3568000(561-575)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3568000
Bang IKim TJang HSung D(2022)An Opportunistic Power Control Scheme for Mitigating User Location Tracking Attacks in Cellular NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2022.315240317(1131-1144)Online publication date: 2022
https://doi.org/10.1109/TIFS.2022.3152403
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten