Insecurity of Voice Solution VoLTE in LTE Mobile...
Transcript of Insecurity of Voice Solution VoLTE in LTE Mobile...
Insecurity of Voice Solution VoLTE in LTE Mobile Networks
Chi-Yu Li1, Guan-Hua Tu1, Chunyi Peng 2,
Zengwen Yuan1, Yuanjie Li1, Songwu Lu1, Xinbing Wang3
1: University of California, Los Angeles; 2: The Ohio State University;
3: Shanghai Jiao Tong University
The first two authors equally contribute to this work.
Voice: Vital Carrier Service All Along2
30+ years support in cellular networks
Voice Evolved in 4G LTE
◻ Legacy voice solution: Circuit-Switched (CS)
Carrier-grade quality
◻ 4G LTE: Packet-switched (PS) only
3
Telephony
NetworkCS GatewayCircuit CircuitCircuit
4G PS Gateway(aka. edge routers)
Internet
?
4
Packet-switched
(PS) Core4G PS Gateway(aka. edge routers)
Internet
Telephony
Network
4G LTE PS Core
VoLTE Signaling Packets
VoLTE Voice Packets
Data Service Packets
Signaling
Servers
Media
Gateway
VoLTE
Voice over LTE (VoLTE): Carry Voice in Packets
How to provide “Carrier-Grade” Voice in VoLTE?
◻ Define “Bearer” with distinct QoS profile to deliver packets
5
Delivery Priority
VoLTE Voice Bearer Guaranteed-Bit-Rate 2
VoLTE Signaling Bearer Best Effort 1
(highest)
Data Service Bearer Best Effort 6-9
Packet-switched
(PS) Core4G PS Gateway(aka. edge routers)
Potential Security Threats in VoLTE6
4G PS Gateway(aka. edge routers)
Internet
If yes, abuse its charging scheme (free) and higher-priority/QoS scheme for “data”?
#1: Carry “data” over VoLTE Signaling bearer?
Potential Security Threats in VoLTE7
4G PS Gateway(aka. edge routers)
Media
Gateway
VoLTE
If yes, authentic voice traffic will be blocked.
#2: Inject (junk) data into VoLTE voice bearer?
✗
Overview of Our Findings
◻ Data: Carry data over VoLTE signaling bearerFree data service
Higher-priority data service
Overbilling
Data Denial-of-Service
◻ Voice: Inject junk data into VoLTE voice bearerVoice Denial-of-Service (muted voice)
◻ Vulnerabilities from
VoLTE standards
Carrier networks
Mobile devices (software and hardware)
8
Carry Data in VoLTE Signaling Bearer9
Two Access Control at Device & Network10
4G PS Gateway(aka. edge routers)
Internet
Q1: [Device] Will the phone allow an app (user-space) to send data packets out into VoLTE signaling bearer?
Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-VoLTE destinations (Internet)?
Har
dw
are
No Access Control on the Phone11
Android OS
615
Soft
war
e
Apps IMS ClientVoLTE app
(dialing)
4G LTE
Modem (chipset)
◻ #1: VoLTE signaling functions are implemented in IP-based software (Open to OS and apps)
A system app
IP for VoLTE
IP for Normal data
Har
dw
are
No Access Control on the Phone
◻ #2: No proper permission control to VoLTE Signaling network interface in OS (software)
Given IP, app (w/Internet permission) send packets
◻ #3: No access control in chipset (hardware)
12
Android OS
615
Soft
war
e
Apps IMS ClientVoLTE app
(dialing)
4G LTE
Modem (chipset)
IP for VoLTE
No Access Control in Network
◻ #4: Imprudent routing in network
Simply routing based on destination IP
US-I: Internet and Mobile ✔
US-II: Mobile ✔
13
4G PS Gateway(aka. edge routers)
Internet
Signaling
Servers
VoLTE
?✔
Finally, it works out!
◻ Mobile-to-Internet
Example: ping Google
14
4G-GW
Finally, it works out!
◻ Mobile-to-Internet
◻ Mobile-to-Mobile
VoLTE-to-VoLTE
VoLTE-to-PS
15
4G-GW
4G-GW
Free for VoLTE Signalings16
◻ VoLTE Signaling free of charges
Voice calls: charged by minutes
Signaling: no charges (usually small volume)
Validated in two US major carriers
◻ Rational, but exploited for free data access
Free Data Service: Skype as Demo 17
http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4
Free Data Service 18
0.
30.
60.
90.
120.
150.
180.
210.
240.
0 2 4 6 8 10 12 14 16
Uplink
Downlink
Source Rate (Mbps)
Fre
e D
ata
(M
B)
0.
100.
200.
300.
400.
500.
0 1 2 3 4 5 6 7 8 9 10
Uplink
Downlink
Time (Hours)
Fre
e D
ata
(M
B)
There exists NO signs of limit on the volume, throughput and duration for free data service
4G PS Gateway(aka. edge routers)
Overbilling Attack19
InternetNAT/Firewall
◻ Spamming via Mobile-to-Mobile (VoLTE-to-PS)
Bypass inbound traffic access control at border
$
4G PS Gateway(aka. edge routers)
Data Denial-of-Service Attack20
InternetNAT/Firewall
◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)
Exploit higher priority of VoLTE signaling bearer
4G PS Gateway(aka. edge routers)
Data Denial-of-Service Attack21
InternetNAT/Firewall
◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)
Exploit higher priority of VoLTE signaling bearer
Delivery Priority
VoLTE Signaling Bearer Best Effort 1
Data Service Bearer Best Effort 6-9
Data Denial-of-Service Attack22
048
121620242832
0 4 8 12 16 20 24 28 32 36 40 44 48 52 56 60
Data Bearer VoLTE Signaling BearerThro
ughput
(Mbps)
X-th Second
0 Mbps
Inject Junk Data into VoLTE Voice Bearer23
Similar, but Seemingly More Secure24
4G PS Gateway(aka. edge routers)
Media
Gateway
VoLTE✗
Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer
But, voice bearer is designed for specific RTP/RTCP session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)
4G LTE
Modem (chipset)
Insufficient VoLTE Voice Access Control
◻ #1: only dest. port# needed
Use fixed media gateway (dest. IP is fixed)
◻ #2: Sending data packets with correct port# is allowed
No access control in hardware
25
Har
dw
are
Android OSSoft
war
e
Apps IMS ClientVoLTE app(dialing)
Port# is Secret, but can be Easily Leaked
◻ Share same IP among voice and signaling bearersPort# matched, →VoLTE voice bearer Port# unmatched, →VoLTE signaling bearer
◻ Leaked through distinct behaviors caused by various QoS profiles
Guaranteed-Bit-Rate vs. High-Priority Best Effort
Low-rate voice traffic NOT affected by heavy VoLTE signaling
26
Delivery Priority
VoLTE Voice Bearer Guaranteed-Bit-Rate 2
VoLTE Signaling Bearer Best Effort 1
Infer RTP/RTCP Destination Ports27
Port Number (K)
One
Hop R
TT
(m
s)
0
100
200
300
0 9286 18571 27857 37143 46429 55714 65000
0
40
80
120
160
200
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Right-Port Min-RTT-for-Wrong-Port
x-th Run
One
Hop R
TT
(m
s)
Ports 64580, 64581
Voice DoS: Muted Call28
http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4
Root Causes & Recommended Solutions
◻ VoLTE standardsGrant the singaling bearer with priority but no speed limit.
◻ Carrier networksImprudent routing & charging ploices for VoLTE signaling
Fix: disable routing, enable VoLTE volume accounting
◻ Mobile DevicesLack access control at both software (improper permission) and hardware (missing)
Fix: VoLTE-specific permission, anomaly detection
29
Updates
◻ Report and work with 2 US carriers to fix problems
◻ Partial solutions in place (07/2015, 08/2015)
◻ US-IDisable routing to Non-VoLTE destination
Fixed: free data, overbilling, data DoS
Not fixed: voice DoS
◻ US-II
Limit the speed of Mobile-to-Mobile to 600 kbps
Fixed: data DoS
Not fixed: voice DoS, free data, overbilling
30
Conclusion
◻ VoLTE designed to carry voice can be exploited to carry data
Real threats: free data, overbilling, data DoS, voice DoS.
◻ Lessons at its early deploymentCarrier network, device OS, chipset vendors and standards
have room to improve
◻ New opportunity for mobile industry securityHardware-based Mobile Security
Require more close cooperation between various
parties…….
31
Thank you! Questions?
More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website