PINDROP BLOG

Study Finds Concerning Flaws in VoLTE Platforms

In recent years as VoLTE (Voice over LTE) services have grown more popular and the nation’s four largest cellular networks have adopted it, security concerns have begun to arise. In a new study presented at the Symposium on Information and Communications Technology Security (SSTIC) three researchers from P1 Security found new vulnerabilities and confirmed old ones regarding information attackers can get about users from VoLTE calls, including geolocation data.

VoLTE is a service that offers voice communications (a phone call) over an LTE network, typically providing higher call quality. This has proven to be lucrative for telecom companies as VoLTE has taken businesses by storm and is becoming a part of people’s personal devices as well. In their paper, the researchers identify several active and passive vulnerabilities in VoLTE that can be used to enumerate users, spoof numbers, and gather information about users from information leaks.

“A malicious user (UE-attacker) can customize certain header fields (From and P-Preferred-Identity) of a SIP INVITE request in order to trick the different network elements present on the SIP signaling path. This fake information, if left as is, not sanitized and not replaced, could be received by the target (UE-victim) and make calls appear from another (spoofed) identities,” the paper by Patrick Ventuzelo, Olivier Le Moal, and Thomas Coudray says.

Some of the vulnerabilities discussed in the paper have been disclosed publicly before, but the researchers show how they can be combined to get a picture of a network and its users.

“This paper demonstrates different vulnerabilities in the VoLTE networks which can be exploited to figure out the location of the targeted victim. For example, VKB#1468 leaks B-party private information. If an attacker A makes a voice call over VoLTE to a victim B, then ‘some’ un-patched systems/networks can leak ‘utran-cell-id-3gpp’ value, which is contained in P-AccessNetwork-Info header. Once an attacker gets this information about his target he can easily retrieve the victim’s localization using databases of Cell IDs like OpenCellID / Cell ID Finder,” said Payas Gupta, a data scientist at Pindrop.

The researchers also identified a flaw that could allow an attacker to get the IMEI number for a subscriber. An IMEI number is unique to each individual device and can be used as an identifier. In addition, the authors demonstrated both active and passive attacks by modifying the SIP packet and SDP headers.

The major contribution of this paper is that given a certain rooted Android phone, it is possible to inject packets in the phone using applications like Wireshark while making a VoLTE call. So, a malicious app on the rooted Android phone can sniff the traffic from the phone and track a victim’s location.

This is just the latest in a series of studies that expose the vulnerabilities built into these VoLTE networks. Previously, attackers had found ways to compromise 4G networks using this new technology after Verizon Wireless, the nation’s largest carrier, rolled it out to the public. Currently, the main audience for VoLTE are businesses who rely on programs like Skype for Business among others as their default voice communications system.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed