Insecurity of Voice Solution VoLTE in LTE Mobile Networks

Chi-Yu Li1, Guan-Hua Tu1, Chunyi Peng 2, Zengwen Yuan, Yuanjie Li1, Songwu Lu 1, Xinbing Wang3

1: University of California, Los Angeles;

2: The Ohio State University; 3: Shanghai Jiao Tong University

The first two authors equally contribute to this work.

Voice: Vital Carrier Service All Along 2

30+ years support in cellular networks

Voice Evolved in 4G LTE

Legacy voice solution: Circuit-Switched (CS) Carrier-grade quality

4G LTE: Packet-switched (PS) only

3

Telephony Network CS Gateway

Circuit Circuit Circuit

4G PS Gateway (aka. edge routers)

Internet

?

4

Packet-switched (PS) Core

4G PS Gateway (aka. edge routers)

Internet

Telephony Network

4G LTE PS Core

VoLTE Signaling Packets VoLTE Voice Packets

Data Service Packets

Signaling Servers

Media Gateway

VoLTE

Voice over LTE (VoLTE): Carry Voice in Packets

How to provide “Carrier-Grade” Voice in VoLTE?

Define “Bearer” with distinct QoS profile to deliver packets

5

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1

(highest) Data Service Bearer Best Effort 6-9

Packet-switched (PS) Core

4G PS Gateway (aka. edge routers)

Potential Security Threats in VoLTE 6

4G PS Gateway (aka. edge routers)

Internet

If yes, abuse its charging scheme (free) and higher-priority/QoS scheme for “data”?

#1: Carry “data” over VoLTE Signaling bearer?

Potential Security Threats in VoLTE 7

4G PS Gateway (aka. edge routers)

Media Gateway

VoLTE

If yes, authentic voice traffic will be blocked.

#2: Inject (junk) data into VoLTE voice bearer?

✗

Overview of Our Findings

Data: Carry data over VoLTE signaling bearer Free data service Higher-priority data service Overbilling Data Denial-of-Service

Voice: Inject junk data into VoLTE voice bearer Voice Denial-of-Service (muted voice)

Vulnerabilities from VoLTE standards Carrier networks Mobile devices (software and hardware)

8

Carry Data in VoLTE Signaling Bearer 9

Two Access Control at Device & Network 10

4G PS Gateway (aka. edge routers)

Internet

Q1: [Device] Will the phone allow an app (user-space) to send data packets out into VoLTE signaling bearer?

Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-VoLTE destinations (Internet)?

Har

dwar

e No Access Control on the Phone

11

Android OS

615

Softw

are

Apps IMS Client VoLTE app (dialing)

4G LTE Modem (chipset)

#1: VoLTE signaling functions are implemented in IP-based software (Open to OS and apps) A system app

IP for VoLTE

IP for Normal data

Har

dwar

e No Access Control on the Phone

#2: No proper permission control to VoLTE Signaling network interface in OS (software) Given IP, app (w/Internet permission) send packets

#3: No access control in chipset (hardware)

12

Android OS

615

Softw

are

Apps IMS Client

VoLTE app (dialing)

4G LTE Modem (chipset)

IP for VoLTE

No Access Control in Network

#4: Imprudent routing in network Simply routing based on destination IP US-I: Internet and Mobile ✔

US-II: Mobile ✔

13

4G PS Gateway (aka. edge routers)

Internet

Signaling Servers

VoLTE

? ✔

Finally, it works out!

Mobile-to-Internet Example: ping Google

14

4G-GW

Finally, it works out!

Mobile-to-Internet

Mobile-to-Mobile VoLTE-to-VoLTE VoLTE-to-PS

15

4G-GW

4G-GW

Free for VoLTE Signalings 16

VoLTE Signaling free of charges Voice calls: charged by minutes Signaling: no charges (usually small volume) Validated in two US major carriers

Rational, but exploited for free data access

Free Data Service: Skype as Demo 17

http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4

Free Data Service 18

0306090

120150180210240

0 2 4 6 8 10 12 14 16

UplinkDownlink

Source Rate (Mbps)

Free

Dat

a (M

B)

0

100

200

300

400

500

0 1 2 3 4 5 6 7 8 9 10

UplinkDownlink

Time (Hours) Fr

ee D

ata

(MB

)

There exists NO signs of limit on the volume, throughput and duration for free data service

4G PS Gateway (aka. edge routers)

Overbilling Attack 19

Internet NAT/Firewall

Spamming via Mobile-to-Mobile (VoLTE-to-PS) Bypass inbound traffic access control at border

$

4G PS Gateway (aka. edge routers)

Data Denial-of-Service Attack 20

Internet NAT/Firewall

Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer

4G PS Gateway (aka. edge routers)

Data Denial-of-Service Attack 21

Internet NAT/Firewall

Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer

Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9

Data Denial-of-Service Attack 22

048

121620242832

0 5 10 15 20 25 30 35 40 45 50 55 60

Data BearerVoLTE Signaling Bearer

Thro

ughp

ut (M

bps)

X-th Second

0 Mbps

www.cnn.com

Youtube Logo

Inject Junk Data into VoLTE Voice Bearer 23

Similar, but Seemingly More Secure 24

4G PS Gateway (aka. edge routers)

Media Gateway

VoLTE ✗

Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer

But, voice bearer is designed for specific RTP/RTCP session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)

4G LTE Modem (chipset)

Insufficient VoLTE Voice Access Control

#1: only dest. port# needed Use fixed media gateway (dest. IP

is fixed)

#2: Sending data packets with correct port# is allowed No access control in hardware

25

Hard

war

e

Android OS Soft

war

e

Apps IMS Client VoLTE app (dialing)

Port# is Secret, but can be Easily Leaked

Share same IP among voice and signaling bearers Port# matched, VoLTE voice bearer Port# unmatched, VoLTE signaling bearer

Leaked through distinct behaviors caused by various QoS profiles Guaranteed-Bit-Rate vs. High-Priority Best Effort Low-rate voice traffic NOT affected by heavy VoLTE

signaling

26

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1

Infer RTP/RTCP Destination Ports 27

Port Number (K)

One

Hop

RTT

(ms)

0

100

200

300

0 10000 20000 30000 40000 50000 60000

04080

120160200

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Right-Port Min-RTT-for-Wrong-Port

x-th Run

One

Hop

RTT

(ms)

Ports 64580, 64581

Voice DoS: Muted Call 28

http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4

Root Causes & Recommended Solutions

VoLTE standards Grant the singaling bearer with priority but no speed

limit. Carrier networks

Imprudent routing & charging ploices for VoLTE signaling

Fix: disable routing, enable VoLTE volume accounting Mobile Devices

Lack access control at both software (improper permission) and hardware (missing)

Fix: VoLTE-specific permission, anomaly detection

29

Updates

Report and work with 2 US carriers to fix problems Partial solutions in place (07/2015, 08/2015) US-I

Disable routing to Non-VoLTE destination Fixed: free data, overbilling, data DoS Not fixed: voice DoS

US-II Limit the speed of Mobile-to-Mobile to 600 kbps Fixed: data DoS Not fixed: voice DoS, free data, overbilling

30

Conclusion

VoLTE designed to carry voice can be exploited to carry data Real threats: free data, overbilling, data DoS, voice

DoS. Lessons at its early deployment

Carrier network, device OS, chipset vendors and standards have room to improve

New opportunity for mobile industry security Hardware-based Mobile Security Require more close cooperation between various

parties…….

31

Thank you! Questions?

More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website