World map of VoLTE deployment

A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries.

VoLTE stands for Voice Over LTE — where LTE stands for Long-Term Evolution and is a high-speed wireless communication for mobile phones and data terminals, based on older GSM technology.

In simpler terms, VoLTE is a mash-up between LTE, GSM, and VoIP, a technology used for Voice-over-the-Internet communications. The protocol rolled out in 2012 in South Korea and Singapore and has become very popular because it blends the benefits of old circuit-switched protocols (stability) with the benefits of modern IP protocols (call quality & speed).

Because VoLTE looks primed to spread to all operators across the globe, P1 Security experts have conducted an audit of this new technology. Their findings, documented in a research paper, reveal serious flaws that could be exploited by attackers only with an Android phone connected to a mobile network.

Researchers say they identified both "active" vulnerabilities (that require modifying special SIP packets) and "passive" vulnerabilities (that expose data via passive network monitoring or do not require any SIP packet modification). Below is a list summarizing the team's findings:

User enumeration using SIP INVITE messages

SIP (Session Initiation Protocol) INVITE messages are exchanged when phone calls via VoLTE are initiated, being the first messages exchanged (graph below on the page). These messages are the first ones sent from the caller to the callee, and the message passes through all the mobile networking equipment that supports the call.

Researchers say that an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.

Free data channel over SDP

As the vulnerability's name implies, this flaw allows a VoLTE customer to exchange data (phone calls, SMS, mobile data) via VoLTE networks without initiating the CDR module, responsible for billing.

SIP free data tunnel

There have been other researchers in the past who found free data channels in VoLTE networks, but their methods used a CDR bypass that relied on SIP and RTP (Real-time Transport Protocol) messages.

The method the P1 team discovered relies on attackers using SIP and SDP (Session Description Protocol) messages to create unmonitored data tunnels in VoLTE networks.

This could be an issue with lawful interception (surveillance) because it allows possible crime suspects a way to create covert data communications channels.

User identity spoofing through SIP INVITE message

Attackers can modify certain headers in SIP INVITE messages and place calls using another user's MSISDN (phone number).

Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller's identity at face value.

SIP MSISDN spoofing

Researchers warn that this is a "critical" issue that may result in attackers accessing another person's voice mail, or could cause problems for law enforcement monitoring criminals, who would be able to avoid surveillance by placing calls from another phone number.

Not mentioned by researchers, but a plausible scenario, is if tech support scammers would spoof the phone numbers of legitimate companies to call customers and obtain sensitive information such as passwords, card PINs, and other.

VoLTE equipment fingerprinting and topology discovery

This vulnerability allows an attacker to fingerprint network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone.

According to the research team, this finely detailed data about the mobile telco's network setup can be found in "200 OK" messages the phone receives when connecting to the mobile network

Researchers recommend that mobile telcos sanitize the headers of "200 OK" messages and remove any equipment info that may allow an attacker to create a virtual map of its network. This information is dangerous because it allows threat actors to plan and carry out finely-tuned attacks against the mobile operator.

Leak of the victim's IMEI

Researchers discovered that by watching VoLTE traffic on an Android that's initiating a call, intermediary messages exchanged before establishing a connection reveal information about the callee (victim)'s IMEI number.

These intermediary messages are "183 Session Progress" SIP messages, and the diagram below shows their location in the normal progression of a VoLTE connection before the phone call is established.

Diagram of a VoLTE connection

Researchers say this attack doesn't need for a phone call to be established, and miscreants can drop the call after they collected the target's IMEI.

International Mobile Equipment Identity (IMEI) is a serial number unique to all mobile phones. They are unique per phone and are generally used to block (stolen) devices from accessing a mobile network.

Leak of the victim's personal information

Similarly to the attack above, researchers also discovered that the same "183 Session Progress" SIP messages can also leak more detailed information about victims.

This information is stored in another section of the "183 Session Progress" SIP message header and contains details about the victim's "UTRAN CellID", which is the unique identifier of a physical antenna the callee (victim) is using to receive the call.

In other words, attackers could initiate shadow calls, detect the victim's approximate location, and hang up before the phone call is established.

UTRAN CellID

For the latter two attacks, the research team recommends that mobile operators strip or sanitize these 183 SIP message headers, so they only reach the necessary equipment to support a call, and not the attacker's smartphone.

The team's research paper, entitled "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone" was presented last week at SSTIC (Symposium sur la Sécurité des Technologies de l'Information et des Communications), a security conference held each year in Rennes, France.