insecurity of voice solution volte in lte mobile networkscse.msu.edu/~ghtu/ccs15-slide.pdfinsecurity...
TRANSCRIPT
Insecurity of Voice Solution VoLTE in LTE Mobile Networks
Chi-Yu Li1, Guan-Hua Tu1, Chunyi Peng 2, Zengwen Yuan, Yuanjie Li1, Songwu Lu 1, Xinbing Wang3
1: University of California, Los Angeles;
2: The Ohio State University; 3: Shanghai Jiao Tong University
The first two authors equally contribute to this work.
Voice: Vital Carrier Service All Along 2
30+ years support in cellular networks
Voice Evolved in 4G LTE
Legacy voice solution: Circuit-Switched (CS) Carrier-grade quality
4G LTE: Packet-switched (PS) only
3
Telephony Network CS Gateway
Circuit Circuit Circuit
4G PS Gateway (aka. edge routers)
Internet
?
4
Packet-switched (PS) Core
4G PS Gateway (aka. edge routers)
Internet
Telephony Network
4G LTE PS Core
VoLTE Signaling Packets VoLTE Voice Packets
Data Service Packets
Signaling Servers
Media Gateway
VoLTE
Voice over LTE (VoLTE): Carry Voice in Packets
How to provide “Carrier-Grade” Voice in VoLTE?
Define “Bearer” with distinct QoS profile to deliver packets
5
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
(highest) Data Service Bearer Best Effort 6-9
Packet-switched (PS) Core
4G PS Gateway (aka. edge routers)
Potential Security Threats in VoLTE 6
4G PS Gateway (aka. edge routers)
Internet
If yes, abuse its charging scheme (free) and higher-priority/QoS scheme for “data”?
#1: Carry “data” over VoLTE Signaling bearer?
Potential Security Threats in VoLTE 7
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE
If yes, authentic voice traffic will be blocked.
#2: Inject (junk) data into VoLTE voice bearer?
✗
Overview of Our Findings
Data: Carry data over VoLTE signaling bearer Free data service Higher-priority data service Overbilling Data Denial-of-Service
Voice: Inject junk data into VoLTE voice bearer Voice Denial-of-Service (muted voice)
Vulnerabilities from VoLTE standards Carrier networks Mobile devices (software and hardware)
8
Carry Data in VoLTE Signaling Bearer 9
Two Access Control at Device & Network 10
4G PS Gateway (aka. edge routers)
Internet
Q1: [Device] Will the phone allow an app (user-space) to send data packets out into VoLTE signaling bearer?
Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-VoLTE destinations (Internet)?
Har
dwar
e No Access Control on the Phone
11
Android OS
615
Softw
are
Apps IMS Client VoLTE app (dialing)
4G LTE Modem (chipset)
#1: VoLTE signaling functions are implemented in IP-based software (Open to OS and apps) A system app
IP for VoLTE
IP for Normal data
Har
dwar
e No Access Control on the Phone
#2: No proper permission control to VoLTE Signaling network interface in OS (software) Given IP, app (w/Internet permission) send packets
#3: No access control in chipset (hardware)
12
Android OS
615
Softw
are
Apps IMS Client
VoLTE app (dialing)
4G LTE Modem (chipset)
IP for VoLTE
No Access Control in Network
#4: Imprudent routing in network Simply routing based on destination IP US-I: Internet and Mobile ✔
US-II: Mobile ✔
13
4G PS Gateway (aka. edge routers)
Internet
Signaling Servers
VoLTE
? ✔
Finally, it works out!
Mobile-to-Internet Example: ping Google
14
4G-GW
Finally, it works out!
Mobile-to-Internet
Mobile-to-Mobile VoLTE-to-VoLTE VoLTE-to-PS
15
4G-GW
4G-GW
Free for VoLTE Signalings 16
VoLTE Signaling free of charges Voice calls: charged by minutes Signaling: no charges (usually small volume) Validated in two US major carriers
Rational, but exploited for free data access
Free Data Service: Skype as Demo 17
http://web.cs.ucla.edu/~ghtu/myfiles/free-data-service.mp4
Free Data Service 18
0306090
120150180210240
0 2 4 6 8 10 12 14 16
UplinkDownlink
Source Rate (Mbps)
Free
Dat
a (M
B)
0
100
200
300
400
500
0 1 2 3 4 5 6 7 8 9 10
UplinkDownlink
Time (Hours) Fr
ee D
ata
(MB
)
There exists NO signs of limit on the volume, throughput and duration for free data service
4G PS Gateway (aka. edge routers)
Overbilling Attack 19
Internet NAT/Firewall
Spamming via Mobile-to-Mobile (VoLTE-to-PS) Bypass inbound traffic access control at border
$
4G PS Gateway (aka. edge routers)
Data Denial-of-Service Attack 20
Internet NAT/Firewall
Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer
4G PS Gateway (aka. edge routers)
Data Denial-of-Service Attack 21
Internet NAT/Firewall
Spamming via Mobile-to-Mobile (VoLTE-to-VoLTE) Exploit higher priority of VoLTE signaling bearer
Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9
Data Denial-of-Service Attack 22
048
121620242832
0 5 10 15 20 25 30 35 40 45 50 55 60
Data BearerVoLTE Signaling Bearer
Thro
ughp
ut (M
bps)
X-th Second
0 Mbps
www.cnn.com
Youtube Logo
Inject Junk Data into VoLTE Voice Bearer 23
Similar, but Seemingly More Secure 24
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE ✗
Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer
But, voice bearer is designed for specific RTP/RTCP session (e.g., destIP, destPorts) – Such info is confidential (It varied with call and only delivered in encrypted VoLTE signaling messages)
4G LTE Modem (chipset)
Insufficient VoLTE Voice Access Control
#1: only dest. port# needed Use fixed media gateway (dest. IP
is fixed)
#2: Sending data packets with correct port# is allowed No access control in hardware
25
Hard
war
e
Android OS Soft
war
e
Apps IMS Client VoLTE app (dialing)
Port# is Secret, but can be Easily Leaked
Share same IP among voice and signaling bearers Port# matched, VoLTE voice bearer Port# unmatched, VoLTE signaling bearer
Leaked through distinct behaviors caused by various QoS profiles Guaranteed-Bit-Rate vs. High-Priority Best Effort Low-rate voice traffic NOT affected by heavy VoLTE
signaling
26
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
Infer RTP/RTCP Destination Ports 27
Port Number (K)
One
Hop
RTT
(ms)
0
100
200
300
0 10000 20000 30000 40000 50000 60000
04080
120160200
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Right-Port Min-RTT-for-Wrong-Port
x-th Run
One
Hop
RTT
(ms)
Ports 64580, 64581
Voice DoS: Muted Call 28
http://web.cs.ucla.edu/~ghtu/myfiles/mute_voice_attack.mp4
Root Causes & Recommended Solutions
VoLTE standards Grant the singaling bearer with priority but no speed
limit. Carrier networks
Imprudent routing & charging ploices for VoLTE signaling
Fix: disable routing, enable VoLTE volume accounting Mobile Devices
Lack access control at both software (improper permission) and hardware (missing)
Fix: VoLTE-specific permission, anomaly detection
29
Updates
Report and work with 2 US carriers to fix problems Partial solutions in place (07/2015, 08/2015) US-I
Disable routing to Non-VoLTE destination Fixed: free data, overbilling, data DoS Not fixed: voice DoS
US-II Limit the speed of Mobile-to-Mobile to 600 kbps Fixed: data DoS Not fixed: voice DoS, free data, overbilling
30
Conclusion
VoLTE designed to carry voice can be exploited to carry data Real threats: free data, overbilling, data DoS, voice
DoS. Lessons at its early deployment
Carrier network, device OS, chipset vendors and standards have room to improve
New opportunity for mobile industry security Hardware-based Mobile Security Require more close cooperation between various
parties…….
31
Thank you! Questions?
More details or updates about voice security in 4G LTE can be found in our UCLA-OSU cooperation project website