skip to main content
10.1145/3274694.3274753acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling

Published: 03 December 2018 Publication History

Abstract

Wi-Fi Calling, which is used to make and receive calls over the Wi-Fi network, has been widely adopted and deployed to extend the coverage and increase the capacity in weak signal areas by moving traffic from LTE to Wi-Fi networks. However, the security of Wi-Fi Calling mechanism has not been fully analyzed, and Wi-Fi Calling may inherently have greater security risks than conventional LTE calling. To provide secure connections with confidentiality and integrity, Wi-Fi Calling leverages the IETF protocols IKEv2 and IPSec.
In this paper, we analyze the security of Wi-Fi Calling specifications and discover several vulnerabilities that allow an adversary to track the location of users and perform DoS attacks. By setting up a rogue access point in live testbed environment, we observe that user devices can leak the International Mobile Subscriber Identity (IMSI), despite it being encrypted. The leaked information can be further exploited for tracking user locations. We also discuss how these protocols are vulnerable to several denial of service attacks.
To protect user privacy and services against these attacks, we propose practical countermeasures. We also present trade-off considerations that pose challenges for us to apply countermeasures to mitigate the existing vulnerabilities. Additionally, we propose to introduce corresponding amendments for future specifications of protocols to address these trade-offs.

References

[1]
3GPP. 2002. 3G Security; Wireless Local Area Network (WLAN) Interworking Security. TS33.234 (2002). Latest release: 14.0.0 (2017-03-27). {Online}. Available: http://www.3gpp.org/DynaReport/33234.htm.
[2]
3GPP. 2002. Characteristics of the IP Multimedia Services Identity Module (ISIM) application. TS31.103 (2002). Latest release: 15.2.0 (2018-04-03). {Online}. Available: http://www.3gpp.org/DynaReport/311034.htm.
[3]
3GPP. 2015. 3GPP. Network Architecture; Specification 3GPP TS 23.002 version 12.7.0 Release 12. TS33.002 (2015). Latest release: 15.0.0 (2018-03-27). {Online}. Available: http://www.3gpp.org/DynaReport/23002.htm.
[4]
3GPP. 2015. 3GPP System Architecture Evolution (SAE); Security architecture. TS33.401 (2015). Latest release: 15.3.0 (2018-03-27). {Online}. Available: http://www.3gpp.org/DynaReport/33401.htm.
[5]
3GPP. 2015. Access to the 3GPP Evolved Packet Core (EPC) via non-3GPP access networks; Stage 3. TS24.302 (2015). Latest release: 15.1.0 (2017-12-28). {Online}. Available: http://www.3gpp.org/DynaReport/24302.htm.
[6]
3GPP. 2015. Characteristics of the Universal Subscriber Identity Module (USIM) application. TS31.102 (2015). Latest release: 15.0.0 (2018-04-03). {Online}. Available: http://www.3gpp.org/DynaReport/31102.htm.
[7]
3GPP. 2015. P Multimedia Subsystem (IMS) Service Continuity; Stage 2. TS23.237 (2015). Latest release: 15.1.0 (2017-12-22). {Online}. Available: http://www.3gpp.org/DynaReport/23237.htm.
[8]
Myrto Arapinis, Loretta Mancini, Eike Ritter, Mark Ryan, Nico Golde, Kevin Redon, and Ravishankar Borgaonkar. 2012. New privacy issues in mobile telephony: fix and verification. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS). ACM, 205--216.
[9]
Jethro Beekman and Christopher Thompson. 2013. Man-in-the-middle attack on T-Mobile Wi-Fi Calling. Electrical Engineering and Computer Sciences University of California at Berkeley, http://www.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-18.html (2013).
[10]
Sreepriya Chalakkal, H Schmidt, and S Park. 2017. Practical Attacks on VoLTE and VoWIFI. ERNW Enno Rey Netzwerke, Tech. Rep (2017).
[11]
CNET. 2017. Everything you need to know about Wi-Fi Calling. https://www.cnet.com/news/what-you-need-to-know-about-Wi-FiCalling/ {Online; accessed 13-September-2018}.
[12]
The Economist. 2016. The StingRay's tale. https://www.economist.com/united-states/2016/01/30/the-stingrays-tale {Online; accessed 13-September-2018}.
[13]
Caroline Gabriel. 2016. Wi-Fi Calling and the ePDG: The continuing importance of voice in the carrier model. Rethink Technology Research (January 2016).
[14]
HLR Lookup, Enterprise HLR Lookup Portal and API. 2018. https://www.hlr-lookups.com/ {Online; accessed 13-September-2018}.
[15]
Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino. 2018. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. Network and Distributed Systems Security (NDSS) Symposium (2018).
[16]
Hotspot ID. 2018. https://www.hotspotid.com/ {Online; accessed 13-September-2018}.
[17]
COX Inc. 2018. https://www.cox.com/aboutus/wifi-hotspot-map.html {Online; accessed 13-September-2018}.
[18]
Internet Engineering Task Force (IETF). 2014. Internet Key Exchange Protocol Version 2 (IKEv2). RFC7296 (October 2014). {Online; accessed 13-September-2018}. Available: https://tools.ietf.org/html/rfc7296.
[19]
Roger Piqueras Jover. 2013. Security attacks against the availability of LTE mobility networks: Overview and research directions. In Wireless Personal Multimedia Communications (WPMC), 2013 16th International Symposium on. IEEE, 1--9.
[20]
Roger Piqueras Jover. 2016. LTE security, protocol exploits and location tracking experimentation with low-cost software radio. arXiv preprint arXiv:1607.05171 (2016).
[21]
Denis Foo Kune, John Koelndorfer, Nicholas Hopper, and Yongdae Kim. 2012. Location leaks on the GSM air interface. ISOC NDSS (Feb 2012) (2012).
[22]
Market Insights Reports. 2017. The VoLTE Ecosystem: 2016-2030 Opportunities, Challenges, Strategies Forecasts. (2017). Latest release: 15.1.0 (2017-12-28). {Online}. Available: https://www.marketinsightsreports.com/reports/091915323/the-volte-voice-over-lte-ecosystem-2016-2030-opportunities-challenges-strategies-forecasts/.
[23]
Stig F Mjølsnes and Ruxandra F Olimid. 2017. Easy 4G/LTE IMSI Catchers for Non-Programmers. In International Conference on Mathematical Methods, Models, and Architectures for Computer Network Security. Springer, 235--246.
[24]
O'Hanlon, Piers and Borgaonkar, Ravishankar and Hirschi, Lucca. 2017. Mobile subscriber Wi-Fi privacy. In IEEE Security and Privacy Workshops (SPW).
[25]
OSMOCOM. 2018. Osmocom SIMtrack. https://osmocom.org/projects/simtrack/wiki/SIMtrack/ {Online; accessed 13-September-2018}.
[26]
PiunikaWeb. 2018. iOS 11.3 nasty surprise. http://piunikaweb.com/2018/04/03/ios-11-3-nasty-surprise-t-mobile-prioritises-cellular-over-wifi-calling/ {Online; accessed 13-September-2018}.
[27]
Rethink Technology Research. 2016. - Mobile network ownership, MVNOs and NWaaS Wholesale, sharing and NWaaS 2015-2020. (2016).
[28]
SECDEV. 2018. Scapy. https://scapy.net/ {Online; accessed 13-September-2018}.
[29]
Altaf Shaik, Ravishankar Borgaonkar, N Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2015. Practical attacks against privacy and availability in 4G/LTE mobile communication systems. arXiv preprint arXiv:1510.07563 (2015).
[30]
Altaf Shaik, Ravishankar Borgaonkar, Jean-Pierre Seifert, N. Asokan, and Valtteri Niemi. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS). http://www.internetsociety.org/events/ndss-symposium-2016
[31]
Daehyun Strobel. 2007. IMSI catcher. Chair for Communication Security, Ruhr-Universität Bochum 14 (2007).
[32]
T-Mobile and Movial. 2016. The IMS Open Source Project For Android. https://www.openhub.net/p/ims-android {Online; accessed 13-September-2018}.
[33]
Fabian van den Broek, Roel Verdult, and Joeri de Ruiter. 2015. Defeating IMSI catchers. In Proceedings of the 22nd ACM Conference on Computer and Communications Security (CCS). ACM, 340--351.
[34]
VREM. 2018. VREM Software Development. https://vremsoftwaredevelopment.github.io/WiFiAnalyzer/ {Online; accessed 13-September-2018}.

Cited By

View all
  • (2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
  • (2024)VoWi‐Fi security threats: Address resolution protocol attack and countermeasuresIET Networks10.1049/ntw2.12113Online publication date: 17-Jan-2024
  • (2023)Insecurity of Operational IMS Call Systems: Vulnerabilities, Attacks, and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2022.320518331:2(800-815)Online publication date: Apr-2023
  • Show More Cited By

Index Terms

  1. Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '18: Proceedings of the 34th Annual Computer Security Applications Conference
    December 2018
    766 pages
    ISBN:9781450365697
    DOI:10.1145/3274694
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

    In-Cooperation

    • ACSA: Applied Computing Security Assoc

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 December 2018

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. DoS
    2. IMSI
    3. IPSec
    4. Impersonation Attack
    5. Privacy
    6. Wi-Fi Calling

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ACSAC '18

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)42
    • Downloads (Last 6 weeks)7
    Reflects downloads up to 14 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)IMS is Not That Secure on Your 5G/4G PhonesProceedings of the 30th Annual International Conference on Mobile Computing and Networking10.1145/3636534.3649377(513-527)Online publication date: 29-May-2024
    • (2024)VoWi‐Fi security threats: Address resolution protocol attack and countermeasuresIET Networks10.1049/ntw2.12113Online publication date: 17-Jan-2024
    • (2023)Insecurity of Operational IMS Call Systems: Vulnerabilities, Attacks, and CountermeasuresIEEE/ACM Transactions on Networking10.1109/TNET.2022.320518331:2(800-815)Online publication date: Apr-2023
    • (2023)Targeted Privacy Attacks by Fingerprinting Mobile Apps in LTE Radio Layer2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00035(261-273)Online publication date: Jun-2023
    • (2022)VWAnalyzerProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security10.1145/3488932.3517425(182-195)Online publication date: 30-May-2022
    • (2021)Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It SucceedsProceedings on Privacy Enhancing Technologies10.2478/popets-2021-00422021:3(164-181)Online publication date: 27-Apr-2021
    • (2021)Security Aspects and Vulnerabilities in Authentication Process WiFi Calling – RF measurements2021 IEEE International Black Sea Conference on Communications and Networking (BlackSeaCom)10.1109/BlackSeaCom52164.2021.9527884(1-5)Online publication date: 24-May-2021
    • (2020)Ghost calls from operational 4G call systemsProceedings of the 26th Annual International Conference on Mobile Computing and Networking10.1145/3372224.3380885(1-14)Online publication date: 16-Apr-2020
    • (2020)Transparent AAA Security Design for Low-Latency MEC-Integrated Cellular NetworksIEEE Transactions on Vehicular Technology10.1109/TVT.2020.296459669:3(3231-3243)Online publication date: Mar-2020
    • (2020)Privacy Attack On IoT: a Systematic Literature Review2020 International Conference on ICT for Smart Society (ICISS)10.1109/ICISS50791.2020.9307568(1-8)Online publication date: 19-Nov-2020

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media