Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li - - PowerPoint PPT Presentation

Insecurity of Voice Solution VoLTE in LTE Mobile Networks

Chi-Yu Li1, Guan-Hua Tu1, Chunyi Peng 2, Zengwen Yuan1, Yuanjie Li1, Songwu Lu1, Xinbing Wang3

1: University of California, Los Angeles; 2: The Ohio State University; 3: Shanghai Jiao Tong University

The first two authors equally contribute to this work.

Voice: Vital Carrier Service All Along

2

30+ years support in cellular networks

Voice Evolved in 4G LTE

◻ Legacy voice solution: Circuit-Switched (CS)

Carrier-grade quality

◻ 4G LTE: Packet-switched (PS) only

3

Telephony Network CS Gateway Circuit Circuit Circuit 4G PS Gateway

(aka. edge routers)

Internet

?

4

Packet-switched (PS) Core 4G PS Gateway

(aka. edge routers)

Internet Telephony Network 4G LTE PS Core

VoLTE Signaling Packets VoLTE Voice Packets Data Service Packets

Signaling Servers Media Gateway VoLTE

Voice over LTE (VoLTE): Carry Voice in Packets

How to provide “Carrier-Grade” Voice in VoLTE?

◻ Define “Bearer” with distinct QoS profile to

deliver packets

5

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1 (highest) Data Service Bearer Best Effort 6-9 Packet-switched (PS) Core 4G PS Gateway

(aka. edge routers)

Potential Security Threats in VoLTE

6

4G PS Gateway

(aka. edge routers)

Internet

If yes, abuse its charging scheme (free) and higher-priority/QoS scheme for “data”? #1: Carry “data” over VoLTE Signaling bearer?

Potential Security Threats in VoLTE

7

4G PS Gateway

(aka. edge routers)

Media Gateway VoLTE

If yes, authentic voice traffic will be blocked. #2: Inject (junk) data into VoLTE voice bearer?

✗

Overview of Our Findings

◻ Data: Carry data over VoLTE signaling bearer

Free data service Higher-priority data service Overbilling Data Denial-of-Service

◻ Voice: Inject junk data into VoLTE voice bearer

Voice Denial-of-Service (muted voice)

◻ Vulnerabilities from

VoLTE standards Carrier networks Mobile devices (software and hardware)

8

Carry Data in VoLTE Signaling Bearer

9

Two Access Control at Device & Network

10

4G PS Gateway

(aka. edge routers)

Internet

Q1: [Device] Will the phone allow an app (user-space) to send data packets out into VoLTE signaling bearer? Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-VoLTE destinations (Internet)?

Hardware

No Access Control on the Phone

11

Android OS

615

Software

Apps

IMS Client VoLTE app (dialing)

4G LTE Modem (chipset)

◻ #1: VoLTE signaling functions are implemented in IP-

based software (Open to OS and apps)

A system app

IP for VoLTE

IP for Normal data

Hardware

No Access Control on the Phone

◻ #2: No proper permission control to VoLTE

Signaling network interface in OS (software)

Given IP, app (w/Internet permission) send packets

◻ #3: No access control in chipset (hardware)

12

Android OS

615

Software

Apps

IMS Client

VoLTE app (dialing)

4G LTE Modem (chipset)

IP for VoLTE

No Access Control in Network

◻ #4: Imprudent routing in network

Simply routing based on destination IP US-I: Internet and Mobile ✔ US-II: Mobile ✔

13

4G PS Gateway

(aka. edge routers)

Internet Signaling Servers VoLTE

?✔

Finally, it works out!

◻ Mobile-to-Internet

Example: ping Google

14

4G-GW

Finally, it works out!

◻ Mobile-to-Internet ◻ Mobile-to-Mobile

VoLTE-to-VoLTE VoLTE-to-PS

15

4G-GW 4G-GW

Free for VoLTE Signalings

16

◻ VoLTE Signaling free of charges

Voice calls: charged by minutes Signaling: no charges (usually small volume) Validated in two US major carriers

◻ Rational, but exploited for free data access

Free Data Service: Skype as Demo

17

http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4

Free Data Service

18

0. 30. 60. 90. 120. 150. 180. 210. 240. 2 4 6 8 10 12 14 16 Uplink Downlink Source Rate (Mbps) Free Data (MB) 0. 100. 200. 300. 400. 500. 1 2 3 4 5 6 7 8 9 10 Uplink Downlink Time (Hours) Free Data (MB)

There exists NO signs of limit on the volume, throughput and duration for free data service

4G PS Gateway

(aka. edge routers)

Overbilling Attack

19

Internet

NAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-PS)

Bypass inbound traffic access control at border

$

4G PS Gateway

(aka. edge routers)

Data Denial-of-Service Attack

20

Internet

NAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)

Exploit higher priority of VoLTE signaling bearer

4G PS Gateway

(aka. edge routers)

Data Denial-of-Service Attack

21

Internet

NAT/Firewall

◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE)

Exploit higher priority of VoLTE signaling bearer

Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9

Data Denial-of-Service Attack

22

4 8 12 16 20 24 28 32 0 4 8 12162024283236404448525660 Data Bearer VoLTE Signaling Bearer Throughput (Mbps) X-th Second 0 Mbps

Inject Junk Data into VoLTE Voice Bearer

23

Similar, but Seemingly More Secure

24

4G PS Gateway

(aka. edge routers)

Media Gateway VoLTE

✗

Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer But, voice bearer is designed for specific RTP/RTCP

session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)

4G LTE Modem (chipset)

Insufficient VoLTE Voice Access Control

◻ #1: only dest. port# needed

Use fixed media gateway (dest. IP is fixed)

◻ #2: Sending data packets with

correct port# is allowed

No access control in hardware

25

Hardware

Android OS

Software

Apps

IMS Client VoLTE app (dialing)

Port# is Secret, but can be Easily Leaked

◻ Share same IP among voice and signaling bearers

Port# matched, →VoLTE voice bearer Port# unmatched, →VoLTE signaling bearer

◻ Leaked through distinct behaviors caused by

various QoS profiles

Guaranteed-Bit-Rate vs. High-Priority Best Effort Low-rate voice traffic NOT affected by heavy VoLTE signaling

26

Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1

Infer RTP/RTCP Destination Ports

27

Port Number (K) One Hop RTT (ms)

100 200 300 9286 18571 27857 37143 46429 55714 65000 40 80 120 160 200 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Right-Port Min-RTT-for-Wrong-Port

x-th Run One Hop RTT (ms)

Ports 64580, 64581

Voice DoS: Muted Call

28

http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4

Root Causes & Recommended Solutions

◻ VoLTE standards

Grant the singaling bearer with priority but no speed limit.

◻ Carrier networks

Imprudent routing & charging ploices for VoLTE signaling Fix: disable routing, enable VoLTE volume accounting

◻ Mobile Devices

Lack access control at both software (improper permission) and hardware (missing) Fix: VoLTE-specific permission, anomaly detection

29

Updates

◻ Report and work with 2 US carriers to fix problems ◻ Partial solutions in place (07/2015, 08/2015) ◻ US-I

Disable routing to Non-VoLTE destination Fixed: free data, overbilling, data DoS Not fixed: voice DoS

◻ US-II

Limit the speed of Mobile-to-Mobile to 600 kbps Fixed: data DoS Not fixed: voice DoS, free data, overbilling

30

Conclusion

◻ VoLTE designed to carry voice can be exploited to

carry data

Real threats: free data, overbilling, data DoS, voice DoS.

◻ Lessons at its early deployment

Carrier network, device OS, chipset vendors and standards have room to improve

◻ New opportunity for mobile industry security

Hardware-based Mobile Security Require more close cooperation between various parties…….

31

Thank you! Questions?

More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website