Transcription
How secure are your VoLTE and VoWiFi calls?Priya Chalakkal1
About me : Priya Chalakkalo ERNW GmbH, Heidelbergo Loves telco, pcaps, binaries, logs, protocolsand all security stuff in general.o Completed Masters in Security and Privacyfrom TU, Berlin and UNITN, Trento.o https://priyachalakkal.wordpress.com/o https://insinuator.net/2
AgendaooooooIntroductionFundamentalsPART1: Attacks on OpenIMS (without IPSec)PART2: Attacks on real telecom providers (with IPSec)DemoMitigation33
Introduction - TelephonyCircuit SwitchedoPSTN : Public Switched TelephoneNetworksDedicated circuit – “Channel”o Roots tracked back to 1876o Graham Bell got the first patentoPacket SwitchedData sent as Packetso Protocol stack: TCP/IPo Eg:- Interneto For voice - VoIPo4
Introduction - VoIP5
Introduction – VoLTE/VoWiFiVoLTESK Telecom and LG U Objective South Korea –2012o Vodafone Germany – VoLTE – March 2015oVoWiFi:Telekom Germany – VoWiFi – May 2016o WiFi Callingo6
FUNDAMENTALS7
History of Mobile Communicationo GSM (2G)Relies on Circuit Switchingo Supports only Voice and SMSoo GPRSCircuit – voice and SMSo Packet – Dataoo UMTS (3G)Similar to GPRSo Other network elements evolvedo8
Voice and 4Go LTE (4G): Supports only packet switchingo Voice - VoLTEo Circuit Switched Fall Back (CSFB)oFor voice, fall back to circuit switchednetworks.o Other approachesoSimultaneous voice and LTEetc.9
BACKGROUND10Source: https://en.wikipedia.org/wiki/System Architecture Evolution
VoLTE Stack11
IMS – IP Multimedia Subsystemo Backend: IMS CoreoIP Multimedia SubsystemoCall session control functions (CSCF)o P-CSCFo S-CSCFo I-CSCF12
IMS13
IMS SignalingSIP - Session Initiation ProtocolSimilar to HTTP (text based)o TCP or UDPo Contains SDPo Session Description Protocolo Describing multimedia sessiono Eg:- audio/video typeo14
SIP callsession15
16
PART1: Attacking OpenIMS17
RequirementsOpenIMSo SIP Proxyo Viproy toolkit for Attack1o IMS clients – twinkle (in ubuntu), boghe (inwindows)o18
19
Attack modelingo VoLTE and VoWiFi makes use of SIPo This is experimental tests on OpenIMS withdesktop clientso Mainly SIP header injectiono Without IPSec in any communicationo Both attacker and victim is a registered user.20
Attack1: MSRPfuzzingo MSRP – protocol for transmission of series ofrelated instant messages in context ofcommunication sessiono Evil sends fuzzed input in one of the MSRPheader field to Aliceoa file-selector:name:”AAAAAAAAAAA ”o This is an automated test vector in Viproytoolkit.21
Result 1o Crashes the IMS client of Receiver(Boghe IMS client is used in thiscase)o Neither IMS nor client performedinput validation.22
Result1: MSRP fuzzing23Source: Fatih Ozvaci- Voip wars: The phreakers awaken
Attack2: Location manipulationo P-Access-Network-Info - defines the userlocation in the access networko Contains information such as:Mobile Network Code (MNC)o Mobile Country Code (MCC)o Local Area Code (LAC)o Cell Identifieroo The attacker sends an INVITE request toAlice with a crafted location.24
Result2o Modified P-Access-Network-Info is acceptedby IMS and sent to Aliceo No cross validation with HSS for userlocation.o Can evade lawful interception techniques.o NOT about privacy25
Attack3: Roaming Informationo P-Visited-Network-ID header field thatdecides the access network that serves theuser.o Attacker sends a REGISTER request to IMSwith an pre-added P-Visited-Network-IDheader.26
Result3o P-CSCF just appends the network identity to the existing headerfieldo Attacker can use this to make his roaming calls as local callsOutput from S-CSCF packet dump:P-Visited-Network-ID: open-ims fake.test, open-ims.test27
Attack4: Extra header fieldo SIP protocol is an extensible protocoloAllows to add customized header fieldso Evil sends an INVITE request to Alice containing a customheader field X-Header28
Result429Source ction/
More attack possibilitiesooooooSpoofingInjection – XML, SQL,Denial of ServiceFuzzing 30
Attacking OpenIMS summaryo 4 attacks on OpenIMSMSRP fuzzingo User location manipulationo Roaming information manipulationo Extra header field injectionoo These are Man in the End attackso Without IPSec31
How to prevent tampering SIP Attacks?o Bring integrity protection?o Can IPSec solve this?o Many real telecom provides actually have IPSecin place.o Can we still mess with SIP headers in realproviders?32
PART2: ATTACKING TELECOM PROVIDERS33
RequirementsVoLTE/VoWiFi enabled SIM cardso SIMTrace hardwareo VoLTE/VoWiFi enabled phoneso Wireshark - Gcryptohttp://shop.sysmocom.de/products/simtrace34
Attack modelingooooSniffing VoLTE – rmnet0, rmnet1Sniffing VoWiFi – epdg1, wlan0Sniffing ISIM interface using SIMTraceIPSecESP encapsulation for both VoLTE and VoWiFio Integrity protection enabled for VoLTE/VoWiFio Encryption for VoWiFi (only in wlan0)o35
ESP Packets36
Test 1: Sniffing VoLTE/VoWiFi Interfaceso VoLTE – rmnet1/rmnet0o VoWiFi –ooEpdg1 – hidden virtual interface with non-encrypted trafficWlan0 – encrypted trafficSniffing VoLTE interface : adb shell tcpdump -i rmnet1 -n -s 0 -w - nc -l 127.0.0.1 -p 11233 adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 wireshark -k -S -i -37
VoLTE sniffingVoWiFi sniffing38
Observationso No encryption in VoLTEoOnly integrity with ESPo Encryption in VoWiFio Hidden interface with non-encrypted trafficdetected in VoWiFi39
Results1: Information disclosures40
oIMEI in SIP REGISTER (before authentication)Contact: sip:262011202xxxxxx@[x.x.x.x]:6000 ;q 0.50; g.3gpp.icsi-ref "urn%3Aurn-7%3A3gpp-service.ims.xxx"; g.3gpp.smsip; sip.instance " urn:gsma:imei:35490xxx-xxxxxx-0 "41
o UTRAN Cell IDooutgoing packets like SIP REGISTER, outgoing SIP INVITE, SIPSUBSCRIBE messages contains the location information##FOR VOLTEINVITE sip:[email protected] SIP/2.0.User-Agent: Samsung IMS/5P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp 00000001Content-Length: 117##FOR e-id 003a9axxxxxx42
o IMEI of calleroSIP INVITE incoming request consists of a parameter that containsthe IMEI number of the caller.Accept-Contact:*; sip.instance " urn:gsma:imei:354xxxxx7xxxxxx-0 "; g.3gpp.icsi-ref ire43
o IMSI of caller leakedoIn SIP INVITE incoming requestINVITE sip:262011202xxxx@[x.x.x.x]:6000 SIP/2.044
Private IP of IMSo Found within SIP INVITE in incoming callsTo: sip: [email protected] From: sip: [email protected] ;tag h7g4Esbg mavodi-a-10b-3c-2-ffffffff 000050ED9CA4-1224-xxxx-xxxx45
Test 2: ISIM sniffingfor extracting CK/IK46
ISIMsniffing withSIMTrace47
Securityprotocol:EAP-AKA48
GSM SIM traffic49
What can we find here?o AKA parameters –RAND - random challengeo AUTN – server authenticationoo IPSec keysIK – integrity keyo CK – cyphering keyo50
How to extract it?o Wireshark dissector51
Result2: Extracting IK/CK52
Are the keys used in ESP?53
Failed authentication54
Set up SA with obtained IK55
Success: Key validation56
Summary: Testing UEo Test1: Sniffing VoLTE/VoWiFi interfacesUse case identificationo Results: Information disclosures like IMEI,IMSI, private IPs.oo Test2: ISIM sniffing with SIMTraceResult: IK/CKo Wireshark dissector for extractiono Validation using Wireshark Gcrypt withauthentication check in ESPo57
Simple demo of replay attack of SIP INVITE in a hidden non-IPSec channel58
Final Summaryo Current implementations of VoLTE/VoWiFi make use of IPSeco 4 experimental attacks on OpenIMS without ipseco Sniffing on VoLTE/VoWiFi interfaces with ipsecoInformation disclosures identifiedo ISIM Sniffing with SIMTraceo Wireshark dissectorExtracted CK/IKo Verified obtained IK with wireshark Gcrypto59
Mitigationo Never rely on user end securityo Traffic monitoringIn PDN gateways that performs deep packetinspectiono Whitelist rules in place that determines theexpected value in each SIP header field.oo EncryptionoTo protect against info disclosures60
##IPTABLES ON ANDROID TO ROUTE TRAFFIC TO LAPTOP AND BACKiptables -Fiptables -t nat -Fecho 1 /proc/sys/net/ipv4/ip forwardRMNET ip addr show dev rmnet1 grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" WLAN ip addr show dev wlan0 grep inet grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" grep -v 255 IMS "10.0.0.1"MITM "192.168.0.2"iptables -t nat -A OUTPUT -d IMS -j DNAT --to-destination MITMiptables -t nat -A POSTROUTING -o wlan0 -d MITM -j SNAT --to-source WLANiptables -t nat -A POSTROUTING -o rmnet1 -s MITM -d IMS -j SNAT --to-source RMNETiptables -t nat -L -vn61
Questions?White paper:https://www.ernw.de/download/newsletter/ERNW Whitepaper 60 Practical Attacks On VoLTE And VoWiFi v1.0.pdfThanks to Hendrik, my lwww.insinuator.net62
42 o UTRAN Cell ID o outgoing packets like SIP REGISTER, outgoing SIP INVITE, SIP SUBSCRIBE messages contains the location information ##FOR VOLTE INVITE sip:[email protected]
