Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li - PowerPoint PPT Presentation

Insecurity of Voice Solution VoLTE in LTE Mobile Networks Chi-Yu Li 1 , Guan-Hua Tu 1 , Chunyi Peng 2 , Zengwen Yuan 1 , Yuanjie Li 1 , Songwu Lu 1 , Xinbing Wang 3 1: University of California, Los Angeles; 2: The Ohio State University; 3: Shanghai Jiao Tong University The first two authors equally contribute to this work.

Voice: Vital Carrier Service All Along 2 30+ years support in cellular networks

Voice Evolved in 4G LTE 3 ◻ Legacy voice solution: Circuit-Switched (CS) Carrier-grade quality Telephony CS Gateway Network Circuit Circuit Circuit ◻ 4G LTE: Packet-switched (PS) only ? 4G PS Gateway (aka. edge routers) Internet

Voice over LTE (VoLTE): Carry Voice in Packets 4 Data Service Packets VoLTE Signaling Packets VoLTE Voice Packets VoLTE Telephony Signaling Media Network Servers Gateway 4G LTE PS Core Packet-switched 4G PS Gateway (PS) Core (aka. edge routers) Internet

How to provide “Carrier - Grade” Voice in VoLTE? 5 ◻ Define “Bearer” with distinct QoS profile to deliver packets Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1 (highest) Data Service Bearer Best Effort 6-9 Packet-switched 4G PS Gateway (PS) Core (aka. edge routers)

Potential Security Threats in VoLTE 6 4G PS Gateway (aka. edge routers) Internet #1: Carry “data” over VoLTE Signaling bearer? If yes, abuse its charging scheme ( free ) and higher-priority/QoS scheme for “data” ?

Potential Security Threats in VoLTE 7 ✗ VoLTE Media 4G PS Gateway Gateway (aka. edge routers) #2: Inject (junk) data into VoLTE voice bearer? If yes, authentic voice traffic will be blocked.

Overview of Our Findings 8 ◻ Data: Carry data over VoLTE signaling bearer Free data service Higher-priority data service Overbilling Data Denial-of-Service ◻ Voice: Inject junk data into VoLTE voice bearer Voice Denial-of-Service (muted voice) ◻ Vulnerabilities from VoLTE standards Carrier networks Mobile devices (software and hardware)

Carry Data in VoLTE Signaling Bearer 9

Two Access Control at Device & Network 10 4G PS Gateway (aka. edge routers) Internet Q1: [Device] Q2: [Network] Will the phone allow an Will the network allow app (user-space) to send packets over VoLTE signaling data packets out into bearer to non-VoLTE VoLTE signaling bearer? destinations (Internet)?

No Access Control on the Phone 11 ◻ #1: VoLTE signaling functions are implemented in IP- based software ( Open to OS and apps) A system app VoLTE app Software Apps IMS Client (dialing) Android OS IP for 615 VoLTE Hardware 4G LTE Modem (chipset) IP for Normal data

No Access Control on the Phone 12 ◻ #2: No proper permission control to VoLTE Signaling network interface in OS (software) Given IP, app (w/Internet permission) send packets ◻ #3: No access control in chipset (hardware) VoLTE app Software Apps IMS Client (dialing) Android OS IP for 615 VoLTE Hardware 4G LTE Modem (chipset)

No Access Control in Network 13 ◻ #4: Imprudent routing in network Simply routing based on destination IP US-I: Internet and Mobile ✔ US-II: Mobile ✔ VoLTE Signaling Servers ? ✔ 4G PS Gateway (aka. edge routers) Internet

Finally, it works out! 14 ◻ Mobile-to-Internet 4G-GW Example: ping Google

Finally, it works out! 15 ◻ Mobile-to-Internet 4G-GW ◻ Mobile-to-Mobile 4G-GW VoLTE-to-VoLTE VoLTE-to-PS

Free for VoLTE Signalings 16 ◻ VoLTE Signaling free of charges Voice calls: charged by minutes Signaling: no charges (usually small volume) Validated in two US major carriers ◻ Rational, but exploited for free data access

Free Data Service: Skype as Demo 17 http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4

Free Data Service 18 240. 500. Uplink Uplink 210. Downlink Downlink 400. Free Data (MB) 180. Free Data (MB) 150. 300. 120. 200. 90. 60. 100. 30. 0. 0. 0 2 4 6 8 10 12 14 16 0 1 2 3 4 5 6 7 8 9 10 Source Rate (Mbps) Time (Hours) There exists NO signs of limit on the volume , throughput and duration for free data service

Overbilling Attack 19 ◻ Spamming via Mobile-to-Mobile (VoLTE-to-PS) Bypass inbound traffic access control at border $ 4G PS Gateway (aka. edge routers) NAT/ Firewall Internet

Data Denial-of-Service Attack 20 ◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer 4G PS Gateway (aka. edge routers) NAT/ Firewall Internet

Data Denial-of-Service Attack 21 ◻ Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer 4G PS Gateway (aka. edge routers) NAT/ Firewall Internet Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9

Data Denial-of-Service Attack 22 32 28 Data Bearer VoLTE Signaling Bearer Throughput (Mbps) 24 20 16 12 0 Mbps 8 4 0 0 4 8 12162024283236404448525660 X-th Second

Inject Junk Data into VoLTE Voice Bearer 23

Similar, but Seemingly More Secure ✗ 24 VoLTE Media 4G PS Gateway Gateway (aka. edge routers) Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer But, voice bearer is designed for specific RTP/RTCP session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)

Insufficient VoLTE Voice Access Control 25 ◻ #1: only dest. port# needed Use fixed media gateway (dest. IP is fixed) VoLTE app Software Apps IMS Client ◻ #2: Sending data packets with (dialing) correct port# is allowed Android OS No access control in hardware Hardware 4G LTE Modem (chipset)

Port# is Secret, but can be Easily Leaked 26 ◻ Share same IP among voice and signaling bearers Port# matched, → VoLTE voice bearer Port# unmatched, → VoLTE signaling bearer ◻ Leaked through distinct behaviors caused by various QoS profiles Guaranteed-Bit-Rate vs. High-Priority Best Effort Low-rate voice traffic NOT affected by heavy VoLTE signaling Delivery Priority Guaranteed-Bit-Rate VoLTE Voice Bearer 2 VoLTE Signaling Bearer Best Effort 1

Infer RTP/RTCP Destination Ports 27 300 One Hop RTT (ms) 200 100 Ports 64580, 64581 0 0 9286 18571 27857 37143 46429 55714 65000 Port Number (K) 200 One Hop RTT (ms) Right-Port Min-RTT-for-Wrong-Port 160 120 80 40 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 x-th Run

Voice DoS: Muted Call 28 http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4

Root Causes & Recommended Solutions 29 ◻ VoLTE standards Grant the singaling bearer with priority but no speed limit. ◻ Carrier networks Imprudent routing & charging ploices for VoLTE signaling Fix: disable routing, enable VoLTE volume accounting ◻ Mobile Devices Lack access control at both software (improper permission) and hardware (missing) Fix: VoLTE-specific permission, anomaly detection

Updates 30 ◻ Report and work with 2 US carriers to fix problems ◻ Partial solutions in place (07/2015, 08/2015) ◻ US-I Disable routing to Non-VoLTE destination Fixed: free data, overbilling, data DoS Not fixed: voice DoS ◻ US-II Limit the speed of Mobile-to-Mobile to 600 kbps Fixed: data DoS Not fixed: voice DoS, free data, overbilling

Conclusion 31 ◻ VoLTE designed to carry voice can be exploited to carry data Real threats: free data, overbilling, data DoS, voice DoS. ◻ Lessons at its early deployment Carrier network, device OS, chipset vendors and standards have room to improve ◻ New opportunity for mobile industry security Hardware-based Mobile Security Require more close cooperation between various parties…….

Thank you! Questions? More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website