Security

Dissecting VoLTE

Exploiting Free Data Channels and Security Problems
Newly adopted VoLTE requires changes in all associated parties, such as 3GPP standard, device, operating system, and cellular core networks. Therefore, it is not too surprising that it has security problems. However, it turns out that it has way too many problems. In this talk, we introduce how you can freely send data in the cellular network, and how an attacker can perform caller spoofing and denial of service attacks on calls to disable the target’s calling. Furthermore, we explain how small implementation glitch on VoLTE may lead to break the whole cellular network down.
Voice-over-LTE (VoLTE) is a newly adopted voice technology in the LTE network, whose functionality is similar to VoIP. Even though VoLTE works similar to VoIP, implementing it on the cellular network is not an easy problem because it needs many changes at each component of LTE. If these changes are not securely considered, this may lead to several security problems. In the legacy 3G network, as data and voice are separate, the accounting policies are also different: data is charged based on byte usage, and voice, on time usage. However, in VoLTE, even though voice is delivered as a packet, it is still charged by time usage. Therefore, this strange accounting policy might open free data channels. Another point is that voice signaling for VoLTE is not handled as in the legacy 3G network. Basically, a phone has two processors: an application processor (AP) which runs mobile OSes such as Android and a communication processor (CP) which manages digital signal processing and radio access. In 3G, voice signaling is handled in CP which makes an attacker hard to manipulate it. However, in VoLTE, because voice signaling is handled in AP, an attacker can easily analyze or modify the call flow. Furthermore, this new change can cause problems to the mobile OS. To scrutinize these two points, we analyzed 5 operators, two in the U.S and three in South Korea. As a result, we found four free data channels. For free data channels, an attacker can inject data in the call signaling procedure or voice data transmission. Additionally, the attacker can freely send data to the Internet or to another phone in the cellular network through the VoLTE interface. Furthermore, we discovered five security problems which include no encryption of voice packets, no authentication of call signaling, no call session management, IMS bypassing, and permission model mismatch in Android. We responsibly disclosed all the vulnerabilities to US/KR CERTs and Google in May. We suggest mitigations for each vulnerability, and further propose possible attack vectors that researchers can study on.

Additional information

Type lecture
Language English

More sessions

12/27/15
Security
Joanna Rutkowska
Hall 2
Can we build trustworthy client systems on x86 hardware? What are the main challenges? What can we do about them, realistically? Is there anything we can?
12/27/15
Security
Hall 6
Unser Vortrag demonstriert einen PLC-only Wurm. Der PLC-Wurm kann selbstständig ein Netzwerk nach Siemens Simatic S7-1200 Geräten in den Versionen 1 bis 3 durchsuchen und diese befallen. Hierzu ist keine Unterstützung durch PCs oder Server erforderlich. Der Wurm „lebt“ ausschließlich in den PLCs.
12/27/15
Security
Hall 2
Dr. Peter Laackmann und Marcus Janke zeigen mit einem tiefen Einblick in die Welt der Hardware-Trojaner, auf welchem Wege „Institutionen“ versuchen können, sich versteckten Zugang zu Sicherheits-Hardware zu verschaffen.
12/27/15
Security
Yaniv Balmas
Hall G
Key-Loggers are cool, really cool. It seems, however, that every conceivable aspect of key-logging has already been covered: from physical devices to hooking techniques. What possible innovation could be left in this field?
12/27/15
Security
Ilja van Sprundel
Hall 2
This presentation covers windows kernel driver security issues. It'll discuss some background, and then give an overview of the most common issues seen in drivers, covering both finding and fixing issues.
12/27/15
Security
Alexander Graf
Hall 2
Did you ever want to have access to a few hundred thousand network end points? Or a few hundred thousand phone numbers? A short look behind the curtains of how not to do network security.
12/27/15
Security
Hall 1
For years SCADA StrangeLove team speaks about vulnerabilities in Industrial Control Systems. Now we want to show by example of railway the link between information security and industrial safety and demonstrate how a root access gained in a few minutes can bring to naught all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. Railroads is a complex systems and process automation is used in different areas: to control power, switches, ...