July 2016 : Our SMS security has been accepted by CCS'16.
March 2016 : We released a Do-It-Yourself demo, HackCellular, which allows you to replay several attacks identified in our research projects. It would be fun to learn real threats in real networks. Surely, please attack against your own phone only!
Feb 2016 : We presented our new design VoLTE* at HotMobile'16, FL.
Nov 2015: we reported the vulnerability on SMS over LTE to the US carrier and Facebook. We also submitted the vulnerability to CERT. org, too.
Oct 2015: We made a CCS'15 presentation on VoLTE security.
July 2015: we have reported our VoLTE findings to two US carriers and worked with them to fix the problems.
T-Mobile: disabling free mobile-to-Internet and mobile-to-mobile access;
Verizon: limit the speed of mobile-to-mobile access via VoLTE (no larger than 700kbps).
This project investigate security implications of 4G LTE voice solutions: VoLTE (voice-over-LTE) and CSFB (circuit-switched Fallback). In this project, we seek to disclose whether both schemes might be harmful to mobile users and/or operators from a security perspective. If so, we aim to pinpoint their root causes, uncover the insights of insecurity and devise defenses that protect from such attacks.
Voice is a simple utility service, yet vital to both mobile operators and phone users. It has been a killer application to mobile networks for decades since its origin.
However, as the cellular infrastructure upgrades to Long Term Evolution (LTE), the fourth-generation (4G) mobile technology, voice service is inevitably going through its fast evolution.
LTE is packet-switched (PS)-only, all-IP based network. It completely abandons the circuit-switched (CS) design so that the legacy voice solution to 2G/3G networks is not supported over LTE. As a result, two voice solutions are proposed accordingly: CSFB (Circuit-Switched FallBack) and VoLTE (Voice over LTE). CSFB leverages the CS domain in the legacy 3G systems to support voice calls for LTE users. Whenever a call is made, CSFB transfers the call request from the 4G network to the 3G system. Once the call
completes, CSFB moves the phone back to the 4G network. In
contrast, VoLTE supports voice calls directly in the 4G system.
It leverages the Voice-over-IP (VoIP) solution over the Internet,
and still offers guaranteed Quality-of-Service (QoS) through
resource reservation in LTE networks.
While VoLTE is the ultimate voice solution to LTE, both voice solutions are foreseen to coexist in the long run.
CSFB leverages the deployed legacy system and works with most current phone models (whereas VoLTE requires
new phones). It thus offers a cost-effective, readily-accessible solution. As the most popular voice solution to date, CSFB
has been widely deployed or endorsed by most LTE carriers such as top global carriers (China Mobile, Vodafone, Bharti Airtel, Telefonica, AT&T, T-Mobile, to name a few). On the
other hand, VoLTE promises to be the ultimate solution though its current deployment is not as popular as CSFB. In US, a leading VoLTE market, three major operators (AT&T, T-Mobile and
Verizon) have started to launch VoLTE until late 2014. Its roll-out is on the way.
We examine whether VoLTE and CSFB exposes new and unexpected threats. Our study stems from a simple rule of thumb in that any major change is probably a source for insecurity. With the nontrivial changes from CS to PS in its core technology, VoLTE may interfere with other system components, thereby inducing new loopholes. For CSFB, it has to trigger 3G-4G handoff, which is originally designed to support mobility and universal coverage, but now is open to any caller, even without permission from the callee.
Threats from CSFB
CSFB exhibits two vulnerabilities of exposing 4G-3G network switch to adversaries. This can be
further exploited to launch ping-pong attacks where mobile users
may suffer from up to 91.5% performance downgrade, or 4G
denial-of-service (DoS) attacks where mobile users are deprived
of 4G LTE connectivity without their consent.
Threats from VoLTE
VoLTE can be exploited by the adversary to easily gain free data access, shut down continuing data
access, or subdue an ongoing call, etc.. It can be also used to manipulate the radio resource states of the
victim?s device in a silent call attack and thus consume unnecessary resource.
VoLTE makes it possible to carry data packets over VoLTE signaling channel.
While VoLTE intends to use PS packets to carry signaling messages,
it is never forbidden from turning PS data into VoLTE (signaling).
Similar to the data service that retains a bearer (i.e., IP connectivity),
VoLTE also has a signaling bearer for its control-plane
operation. As shown in Figures 2a and 2b, both need to first activate
a bearer and obtain an IP connectivity within the LTE network.
Afterwards, data packets can be delivered through this bearer once
any service starts. The device sets the source address as that allocated
by the 4G Gateway and the destination as the target host?s.
For VoLTE, upon any call request, SIP messages are exchanged between
the device and the IMS core through the signaling bearer. It
then on-demand invokes a voice bearer to carry conversation traffic
if the call is accepted. When the call ends, the voice bearer is
released. With the packet-carrying capability, it is feasible to carry any
data through the VoLTE signaling bearer under two vulnerabilities.
First, on the device side, there is no access control to prevent non-
VoLTE packets from being injected into the signaling bearer.
Second, on the network side, these injected packets are allowed to
pass by (e.g., routed to the destination by the 4G gateway).
This has been validated in two tier-1 US carriers. Moreover, with a distinct charging model, voice signaling messages are free and thus PS data over VoLTE signaling is free of charge!
Unsurprisingly, the VoLTE-exploited data access can obtain higher, yet underserved priority. This is because the high priority is assigned to provide
QoS for VoLTE. This hurts normal PS data services, particularly during network congestion.
Similarly, on VoLTE voice bearer, junk packets can be injected to overwhelm the bearer and thus mute the ongoing calls.
We devise proof-of-concept attacks as showcases, and demonstrate their
viability over operational LTE networks of Tier-1 US mobile carriers.
Threats from SMS over LTE
We identify one vulnerability in SMS over LTE.
We uncover SMS sender spoofing in certain 4G LTE networks.
Similar to VoLTE, SMS migrates from the circuit-switching technology to the full packet-switched design.
SMS are carried through Session Initiation Protocol (SIP) over IP and implemented by IP Multimedia Subsystem (IMS).
However, we uncover that some 4G LTE operators do not implement sufficient security mechanism so that SMS senderID can be spoofed. In particular, the operator does not implement network-layer or transport-layer security mechanisms to protect communication between mobile users and the IMS servers (e.g, IPSEC or TLS); instead, it uses the DIGEST for authentication (RFC3261). As a consequence, it becomes possible for an adversary to spoof SMS messages.
On the other hand, most mobile service providers take one-way communication model to use SMS to authenticate the operations.
For example, Facebook allows the user to send "like" to FBOOK(32665). Upon receiving it, Facebook will directly execute the operation of liking the page on "his/her" behalf. It will not check whether the SMS comes from the authentic users, but simply depending on the phone number.
As a result, this vulnerability can be exploited to launch an individual attack (one certain user spoofing) or a large-scale of attack (many-user spoofing).
Free Data Service via VoLTE
This demo used Skype video conferencing as an example and demonstrated that mobile users could get free Internet data access in 4G LTE networks, if the phone supports the latest VoLTE feature. This attack exploits the vulnerabilities in current VoLTE deployment in mobile carrier networks and mobile phones.
In this demo, Skype used 12.5MB in 1 minute but no data usage was charged (1MB gap caused by background traffic). It remained uncharged for 30 minutes.
Note: we have reported it to the carrier and now this attack has been fixed.
Voice DoS attack (muted voice) via VoLTE
This demo shows that VoLTE users will suffer voice-muted DoS attack during voice calls.
Initially, caller and callee can make a voice call through; Afterwards (likely after 2-10 seconds), no one can hear each other.
This attacks exploits the vulnerabilities in current VoLTE deployment in mobile carrier networks and mobile phones.
The malware app (in the user space, without extra permission) can inject spam packets into VoLTE voice bearer so that authentic voice traffic is discarded.
Hack Facebook Via SMS over LTE
This demo discloses three proof-of-concepts attacks on Facebook.
An attacker can "post" status, "like" a page, "add" a friend on Facebook on other's behalf without his/her consent. Namely, our FB account might be easily hijacked when an attacker sends SMS messages to FBOOK using spoofed sender ID in a contactless manner.
All-In-One Demo: HackCellular
We have developed an all-in-one-demo, called HackCellular, to replay identified threats in our recent work on your own phones. Source codes can be found in the link. The below is its video demo which records three attacks. The second and the third are Ping-pong attack and stuck-in-3G attack.
Due to security concerns, we do not release all the attacks to the public. Other attacks are available upon requests.
 How Voice Calls Affect Data in Operational LTE Networks
Guan-Hua Tu, Chunyi Peng, Hongyi Wang, Chi-Yu Li, Songwu Lu,
MobiCom'13, Miami, FL, USA, Sep. 2013.
Xiaohu Zhao (PhD student, OSU)
Note: Chi-Yu Li (Postdoc, 2014-2015, PhD, 2009-2014, UCLA), Zengwen Yuan (PhD Student, UCLA) and Yuanjie Li (PhD Student, UCLA) have participated in early work.
We gratefully acknowledge research support from NSF (CNS-1527613
and CNS-1528122) and the departmental support from OSU.
Any opinions, findings, and conclusions or recommendations expressed
in this material are those of the authors and do not necessarily
reflect the views of the National Science Foundation.