How secure are your VoLTE and VoWiFi calls?Priya Chalakkal1

About me : Priya Chalakkalo ERNW GmbH, Heidelbergo Loves telco, pcaps, binaries, logs, protocolsand all security stuff in general.o Completed Masters in Security and Privacyfrom TU, Berlin and UNITN, Trento.o

AgendaooooooIntroductionFundamentalsPART1: Attacks on OpenIMS (without IPSec)PART2: Attacks on real telecom providers (with IPSec)DemoMitigation33

Introduction - TelephonyCircuit SwitchedoPSTN : Public Switched TelephoneNetworksDedicated circuit – “Channel”o Roots tracked back to 1876o Graham Bell got the first patentoPacket SwitchedData sent as Packetso Protocol stack: TCP/IPo Eg:- Interneto For voice - VoIPo4

Introduction - VoIP5

Introduction – VoLTE/VoWiFiVoLTESK Telecom and LG U Objective South Korea –2012o Vodafone Germany – VoLTE – March 2015oVoWiFi:Telekom Germany – VoWiFi – May 2016o WiFi Callingo6


History of Mobile Communicationo GSM (2G)Relies on Circuit Switchingo Supports only Voice and SMSoo GPRSCircuit – voice and SMSo Packet – Dataoo UMTS (3G)Similar to GPRSo Other network elements evolvedo8

Voice and 4Go LTE (4G): Supports only packet switchingo Voice - VoLTEo Circuit Switched Fall Back (CSFB)oFor voice, fall back to circuit switchednetworks.o Other approachesoSimultaneous voice and LTEetc.9

BACKGROUND10Source: Architecture Evolution

VoLTE Stack11

IMS – IP Multimedia Subsystemo Backend: IMS CoreoIP Multimedia SubsystemoCall session control functions (CSCF)o P-CSCFo S-CSCFo I-CSCF12


IMS SignalingSIP - Session Initiation ProtocolSimilar to HTTP (text based)o TCP or UDPo Contains SDPo Session Description Protocolo Describing multimedia sessiono Eg:- audio/video typeo14

SIP callsession15


PART1: Attacking OpenIMS17

RequirementsOpenIMSo SIP Proxyo Viproy toolkit for Attack1o IMS clients – twinkle (in ubuntu), boghe (inwindows)o18


Attack modelingo VoLTE and VoWiFi makes use of SIPo This is experimental tests on OpenIMS withdesktop clientso Mainly SIP header injectiono Without IPSec in any communicationo Both attacker and victim is a registered user.20

Attack1: MSRPfuzzingo MSRP – protocol for transmission of series ofrelated instant messages in context ofcommunication sessiono Evil sends fuzzed input in one of the MSRPheader field to Aliceoa file-selector:name:”AAAAAAAAAAA ”o This is an automated test vector in Viproytoolkit.21

Result 1o Crashes the IMS client of Receiver(Boghe IMS client is used in thiscase)o Neither IMS nor client performedinput validation.22

Result1: MSRP fuzzing23Source: Fatih Ozvaci- Voip wars: The phreakers awaken

Attack2: Location manipulationo P-Access-Network-Info - defines the userlocation in the access networko Contains information such as:Mobile Network Code (MNC)o Mobile Country Code (MCC)o Local Area Code (LAC)o Cell Identifieroo The attacker sends an INVITE request toAlice with a crafted location.24

Result2o Modified P-Access-Network-Info is acceptedby IMS and sent to Aliceo No cross validation with HSS for userlocation.o Can evade lawful interception techniques.o NOT about privacy25

Attack3: Roaming Informationo P-Visited-Network-ID header field thatdecides the access network that serves theuser.o Attacker sends a REGISTER request to IMSwith an pre-added P-Visited-Network-IDheader.26

Result3o P-CSCF just appends the network identity to the existing headerfieldo Attacker can use this to make his roaming calls as local callsOutput from S-CSCF packet dump:P-Visited-Network-ID: open-ims fake.test, open-ims.test27

Attack4: Extra header fieldo SIP protocol is an extensible protocoloAllows to add customized header fieldso Evil sends an INVITE request to Alice containing a customheader field X-Header28

Result429Source ction/

More attack possibilitiesooooooSpoofingInjection – XML, SQL,Denial of ServiceFuzzing 30

Attacking OpenIMS summaryo 4 attacks on OpenIMSMSRP fuzzingo User location manipulationo Roaming information manipulationo Extra header field injectionoo These are Man in the End attackso Without IPSec31

How to prevent tampering SIP Attacks?o Bring integrity protection?o Can IPSec solve this?o Many real telecom provides actually have IPSecin place.o Can we still mess with SIP headers in realproviders?32


RequirementsVoLTE/VoWiFi enabled SIM cardso SIMTrace hardwareo VoLTE/VoWiFi enabled phoneso Wireshark - Gcrypto

Attack modelingooooSniffing VoLTE – rmnet0, rmnet1Sniffing VoWiFi – epdg1, wlan0Sniffing ISIM interface using SIMTraceIPSecESP encapsulation for both VoLTE and VoWiFio Integrity protection enabled for VoLTE/VoWiFio Encryption for VoWiFi (only in wlan0)o35

ESP Packets36

Test 1: Sniffing VoLTE/VoWiFi Interfaceso VoLTE – rmnet1/rmnet0o VoWiFi –ooEpdg1 – hidden virtual interface with non-encrypted trafficWlan0 – encrypted trafficSniffing VoLTE interface : adb shell tcpdump -i rmnet1 -n -s 0 -w - nc -l -p 11233 adb forward tcp:11233 tcp:11233 && nc 11233 wireshark -k -S -i -37

VoLTE sniffingVoWiFi sniffing38

Observationso No encryption in VoLTEoOnly integrity with ESPo Encryption in VoWiFio Hidden interface with non-encrypted trafficdetected in VoWiFi39

Results1: Information disclosures40

oIMEI in SIP REGISTER (before authentication)Contact: sip:262011202xxxxxx@[x.x.x.x]:6000 ;q 0.50; g.3gpp.icsi-ref ""; g.3gpp.smsip; sip.instance " urn:gsma:imei:35490xxx-xxxxxx-0 "41

o UTRAN Cell IDooutgoing packets like SIP REGISTER, outgoing SIP INVITE, SIPSUBSCRIBE messages contains the location information##FOR VOLTEINVITE sip:[email protected] SIP/2.0.User-Agent: Samsung IMS/5P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp 00000001Content-Length: 117##FOR e-id 003a9axxxxxx42

o IMEI of calleroSIP INVITE incoming request consists of a parameter that containsthe IMEI number of the caller.Accept-Contact:*; sip.instance " urn:gsma:imei:354xxxxx7xxxxxx-0 "; g.3gpp.icsi-ref ire43

o IMSI of caller leakedoIn SIP INVITE incoming requestINVITE sip:262011202xxxx@[x.x.x.x]:6000 SIP/2.044

Private IP of IMSo Found within SIP INVITE in incoming callsTo: sip: [email protected] From: sip: [email protected] ;tag h7g4Esbg mavodi-a-10b-3c-2-ffffffff 000050ED9CA4-1224-xxxx-xxxx45

Test 2: ISIM sniffingfor extracting CK/IK46

ISIMsniffing withSIMTrace47


GSM SIM traffic49

What can we find here?o AKA parameters –RAND - random challengeo AUTN – server authenticationoo IPSec keysIK – integrity keyo CK – cyphering keyo50

How to extract it?o Wireshark dissector51

Result2: Extracting IK/CK52

Are the keys used in ESP?53

Failed authentication54

Set up SA with obtained IK55

Success: Key validation56

Summary: Testing UEo Test1: Sniffing VoLTE/VoWiFi interfacesUse case identificationo Results: Information disclosures like IMEI,IMSI, private IPs.oo Test2: ISIM sniffing with SIMTraceResult: IK/CKo Wireshark dissector for extractiono Validation using Wireshark Gcrypt withauthentication check in ESPo57

Simple demo of replay attack of SIP INVITE in a hidden non-IPSec channel58

Final Summaryo Current implementations of VoLTE/VoWiFi make use of IPSeco 4 experimental attacks on OpenIMS without ipseco Sniffing on VoLTE/VoWiFi interfaces with ipsecoInformation disclosures identifiedo ISIM Sniffing with SIMTraceo Wireshark dissectorExtracted CK/IKo Verified obtained IK with wireshark Gcrypto59

Mitigationo Never rely on user end securityo Traffic monitoringIn PDN gateways that performs deep packetinspectiono Whitelist rules in place that determines theexpected value in each SIP header field.oo EncryptionoTo protect against info disclosures60

##IPTABLES ON ANDROID TO ROUTE TRAFFIC TO LAPTOP AND BACKiptables -Fiptables -t nat -Fecho 1 /proc/sys/net/ipv4/ip forwardRMNET ip addr show dev rmnet1 grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" WLAN ip addr show dev wlan0 grep inet grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" grep -v 255 IMS ""MITM ""iptables -t nat -A OUTPUT -d IMS -j DNAT --to-destination MITMiptables -t nat -A POSTROUTING -o wlan0 -d MITM -j SNAT --to-source WLANiptables -t nat -A POSTROUTING -o rmnet1 -s MITM -d IMS -j SNAT --to-source RMNETiptables -t nat -L -vn61

Questions?White paper: Whitepaper 60 Practical Attacks On VoLTE And VoWiFi v1.0.pdfThanks to Hendrik, my lwww.insinuator.net62

42 o UTRAN Cell ID o outgoing packets like SIP REGISTER, outgoing SIP INVITE, SIP SUBSCRIBE messages contains the location information ##FOR VOLTE INVITE sip:[email protected]