Security Analysis of VoLTE, Part 1

Hello everybody,
this time I’d like to share some thoughts and results about our telco research last year. We gathered a lot of information out of some projects we’d like to share and discuss with you. The following sections also provide an idea of the upcoming Telecommunication Security Workshop I will give with Kevin Redon at Troopers (click). The workshop will be about Radio Network Security (covered by Kevin) and security aspects of the Core Network (covered by myself), mainly focusing on Voice over LTE (VoLTE). That’s also the topic of today’s post.

Bringing the VoIP technology to operator networks raises a couple of security questions like

  • What attacks do we have to expect from customers?
  • What attacks do we have to expect from malware?
  • Is the environment robust against DoS? I mean, transmitting voice data is one of the core businesses.

The typical ERNW approach to tackle those questions includes performing a risk analysis. A complete risk analysis would take a very long time but it is also interesting and a good starting point to identify the most relevant security threats. Because we did some risk analysis of telecommunication networks including IMS in the past, I’d like to refer to this first. This analysis was part of the ASMONIA research project and is public available. Let’s take a look to the threats used there and pick out the most interesting for VoLTE:

T1: Flooding of an Interface

Flooding can be done on multiple layers, especially in VoLTE. It does not matter how this is performed, there will be a couple of services and network layers where this can be done in VoLTE. Eventually this can result in a Denial of Service condition and therefore a huge loss of money for the operator.

T2: Crashing a Network Element via a Protocol or Application Implementation Flaw

Because VoLTE relies on VoIP and the processing of header information there will be multiple parsers and applications processing data coming from a mobile (handset). All those messages can contain malicious data which potentially again can cause a DoS.

T3: Eavesdropping

Getting access to the VoIP traffic of VoLTE can be done on different layers in the network. From client to IMS there are usually three different physical layers involved

  • the LTE cellular traffic
  • the transport/backhaul network
  • data in the core network

With the use of VoLTE some more eavesdropping scenarios can get relevant by attacking and rerouting the VoIP protocol and its applications. All communication is based on IP, which means that common Man-in-the-Middle and eavesdropping attacks such as compromising the telephony app or re-routing the IP traffic can come into play.

T4: Unauthorized Access to Sensitive Data on a Network Element via Leakage
T6: Data modification on a network element
T7: Compromise of a network element via a protocol or application implementation flaw

The last three threats assume or aim to a compromise of the network element itself, which is why I will summarize those. There will be a couple of functions provided to the customer where a compromise might be possible.

T8: Compromise of a network element via a management interface

– There should not be any management interfaces provided to the user, right? –

But there will be some management related functions built-in in the VoLTE stack like functional numbers, or notification messages. As this will be the same as the compromise of the network element itself, I will discuss this later.

T5: Traffic modification

Usually VoLTE signaling and voice transmission traffic is generated by the application on the phone. Talking about traffic modification this could be done on the phone itself (e.g. via a malicious app) or in transit. So both must be protected, on the one hand by the phone’s OS/phone app and on the other hand by the provider by enforcing integrity protection mechanisms.

The processing of IMS internal data like DIAMETER will not be in scope of this discussion.

T9: Malicious Insider

(not relevant here)

T10: Theft of Service

The operator’S service is the main business of mobile telecommunication providers. Hence theft of this service mainly means one thing: loss of revenue. Therefore we will call this threat “pay fraud”.

In summary, we will rename and keep the following threats:

  • 1. Pay Fraud
    • Side Channels
    • Theft of Service
  • 2. System Compromise
    • Mainly through injection attacks
  • 3. Denial of Service
    • Flooding
    • Application based
  • 4. Information Disclosure
    • (this is a new one and focuses on revealing sensitive information about the IMS system or customer/privacy-relevant data)
  • 5. Eavesdropping
    • On multiple layers (Radio, Transport, IP Layer, Application Layer)
  • 6. Traffic Modification
    • Phone local
    • Data in transit

Stay tuned for the technical discussion of these in the upcoming posts.