Insecurity of Voice Solution VoLTE in LTE Mobile Networks

Chi-Yu Li1, Guan-Hua Tu1, Chunyi Peng 2,

Zengwen Yuan1, Yuanjie Li1, Songwu Lu1, Xinbing Wang3

1: University of California, Los Angeles; 2: The Ohio State University;

3: Shanghai Jiao Tong University

The first two authors equally contribute to this work.

Voice: Vital Carrier Service All Along2

30+ years support in cellular networks

Voice Evolved in 4G LTE

◻ Legacy voice solution: Circuit-Switched (CS)

Carrier-grade quality

◻ 4G LTE: Packet-switched (PS) only

3

Telephony

NetworkCS GatewayCircuit CircuitCircuit

4G PS Gateway(aka. edge routers)

Internet

?

4

Packet-switched

(PS) Core4G PS Gateway(aka. edge routers)

Internet

Telephony

Network

4G LTE PS Core

VoLTE Signaling Packets

VoLTE Voice Packets

Data Service Packets

Signaling

Servers

Media

Gateway

VoLTE

Voice over LTE (VoLTE): Carry Voice in Packets

How to provide “Carrier-Grade” Voice in VoLTE?

◻ Define “Bearer” with distinct QoS profile to deliver packets

5

Delivery Priority

VoLTE Voice Bearer Guaranteed-Bit-Rate 2

VoLTE Signaling Bearer Best Effort 1

(highest)

Data Service Bearer Best Effort 6-9

Packet-switched

(PS) Core4G PS Gateway(aka. edge routers)

Potential Security Threats in VoLTE6

4G PS Gateway(aka. edge routers)

Internet

If yes, abuse its charging scheme (free) and higher-priority/QoS scheme for “data”?

#1: Carry “data” over VoLTE Signaling bearer?

Potential Security Threats in VoLTE7

4G PS Gateway(aka. edge routers)

Media

Gateway

VoLTE

If yes, authentic voice traffic will be blocked.

#2: Inject (junk) data into VoLTE voice bearer?

✗

Overview of Our Findings

◻ Data: Carry data over VoLTE signaling bearerFree data service

Higher-priority data service

Overbilling

Data Denial-of-Service

◻ Voice: Inject junk data into VoLTE voice bearerVoice Denial-of-Service (muted voice)

◻ Vulnerabilities from

VoLTE standards

Carrier networks

Mobile devices (software and hardware)

8

Carry Data in VoLTE Signaling Bearer9

Two Access Control at Device & Network10

4G PS Gateway(aka. edge routers)

Internet

Q1: [Device] Will the phone allow an app (user-space) to send data packets out into VoLTE signaling bearer?

Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-VoLTE destinations (Internet)?

Har

dw

are

No Access Control on the Phone11

Android OS

615

Soft

war

e

Apps IMS ClientVoLTE app

(dialing)

4G LTE

Modem (chipset)

◻ #1: VoLTE signaling functions are implemented in IP-based software (Open to OS and apps)

A system app

IP for VoLTE

IP for Normal data

Har

dw

are

No Access Control on the Phone

◻ #2: No proper permission control to VoLTE Signaling network interface in OS (software)

Given IP, app (w/Internet permission) send packets

◻ #3: No access control in chipset (hardware)

12

Android OS

615

Soft

war

e

Apps IMS ClientVoLTE app

(dialing)

4G LTE

Modem (chipset)

IP for VoLTE

No Access Control in Network

◻ #4: Imprudent routing in network

Simply routing based on destination IP

US-I: Internet and Mobile ✔

US-II: Mobile ✔

13

4G PS Gateway(aka. edge routers)

Internet

Signaling

Servers

VoLTE

?✔

Finally, it works out!

◻ Mobile-to-Internet

Example: ping Google

14

4G-GW

Finally, it works out!

◻ Mobile-to-Internet

◻ Mobile-to-Mobile

VoLTE-to-VoLTE

VoLTE-to-PS

15

4G-GW

4G-GW

Free for VoLTE Signalings16

◻ VoLTE Signaling free of charges

Voice calls: charged by minutes

Signaling: no charges (usually small volume)

Validated in two US major carriers

◻ Rational, but exploited for free data access

Free Data Service: Skype as Demo 17

http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4

Free Data Service 18

0.

30.

60.

90.

120.

150.

180.

210.

240.

0 2 4 6 8 10 12 14 16

Uplink

Downlink

Source Rate (Mbps)

Fre

e D

ata

(M

B)

0.

100.

200.

300.

400.

500.

0 1 2 3 4 5 6 7 8 9 10

Uplink

Downlink

Time (Hours)

Fre

e D

ata

(M

B)

There exists NO signs of limit on the volume, throughput and duration for free data service

4G PS Gateway(aka. edge routers)

Overbilling Attack19

InternetNAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-PS)

Bypass inbound traffic access control at border

$

4G PS Gateway(aka. edge routers)

Data Denial-of-Service Attack20

InternetNAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)

Exploit higher priority of VoLTE signaling bearer

4G PS Gateway(aka. edge routers)

Data Denial-of-Service Attack21

InternetNAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)

Exploit higher priority of VoLTE signaling bearer

Delivery Priority

VoLTE Signaling Bearer Best Effort 1

Data Service Bearer Best Effort 6-9

Data Denial-of-Service Attack22

048

121620242832

0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60

Data Bearer VoLTE Signaling BearerThro

ughput

(Mbps)

X-th Second

0 Mbps

Inject Junk Data into VoLTE Voice Bearer23

Similar, but Seemingly More Secure24

4G PS Gateway(aka. edge routers)

Media

Gateway

VoLTE✗

Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer

But, voice bearer is designed for specific RTP/RTCP session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)

4G LTE

Modem (chipset)

Insufficient VoLTE Voice Access Control

◻ #1: only dest. port# needed

Use fixed media gateway (dest. IP is fixed)

◻ #2: Sending data packets with correct port# is allowed

No access control in hardware

25

Har

dw

are

Android OSSoft

war

e

Apps IMS ClientVoLTE app(dialing)

Port# is Secret, but can be Easily Leaked

◻ Share same IP among voice and signaling bearersPort# matched, →VoLTE voice bearer Port# unmatched, →VoLTE signaling bearer

◻ Leaked through distinct behaviors caused by various QoS profiles

Guaranteed-Bit-Rate vs. High-Priority Best Effort

Low-rate voice traffic NOT affected by heavy VoLTE signaling

26

Delivery Priority

VoLTE Voice Bearer Guaranteed-Bit-Rate 2

VoLTE Signaling Bearer Best Effort 1

Infer RTP/RTCP Destination Ports27

Port Number (K)

One

Hop R

TT

(m

s)

0

100

200

300

0 9286 18571 27857 37143 46429 55714 65000

0

40

80

120

160

200

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Right-Port Min-RTT-for-Wrong-Port

x-th Run

One

Hop R

TT

(m

s)

Ports 64580, 64581

Voice DoS: Muted Call28

http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4

Root Causes & Recommended Solutions

◻ VoLTE standardsGrant the singaling bearer with priority but no speed limit.

◻ Carrier networksImprudent routing & charging ploices for VoLTE signaling

Fix: disable routing, enable VoLTE volume accounting

◻ Mobile DevicesLack access control at both software (improper permission) and hardware (missing)

Fix: VoLTE-specific permission, anomaly detection

29

Updates

◻ Report and work with 2 US carriers to fix problems

◻ Partial solutions in place (07/2015, 08/2015)

◻ US-IDisable routing to Non-VoLTE destination

Fixed: free data, overbilling, data DoS

Not fixed: voice DoS

◻ US-II

Limit the speed of Mobile-to-Mobile to 600 kbps

Fixed: data DoS

Not fixed: voice DoS, free data, overbilling

30

Conclusion

◻ VoLTE designed to carry voice can be exploited to carry data

Real threats: free data, overbilling, data DoS, voice DoS.

◻ Lessons at its early deploymentCarrier network, device OS, chipset vendors and standards

have room to improve

◻ New opportunity for mobile industry securityHardware-based Mobile Security

Require more close cooperation between various

parties…….

31

Thank you! Questions?

More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website