Security Flaws in 4G VoLTE

Research paper: "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone," by Patrick Ventuzelo, Olivier Le Moal, and Thomas Coudray.

Abstract: VoLTE (Voice over LTE) is a technology implemented by many operators over the world. Unlike previous 2G/3G technologies, VoLTE offers the possibility to use the end-to-end IP networks to handle voice communications. This technology uses VoIP (Voice over IP) standards over IMS (IP Multimedia Subsystem) networks. In this paper, we will first introduce the basics of VoLTE technology. We will then demonstrate how to use an Android phone to communicate with VoLTE networks and what normal VoLTE communications look like. Finally, we will describe different issues and implementations' problems. We will present vulnerabilities, both passive and active, and attacks that can be done using VoLTE Android smartphones to attack subscribers and operators' infrastructures. Some of these vulnerabilities are new and not previously disclosed: they may allow an attacker to silently retrieve private pieces of information on targeted subscribers, such as their geolocation.

News article. Slashdot thread.

Posted on June 13, 2017 at 6:21 AM • 5 Comments


Bob Dylan's Flaming HairJune 13, 2017 8:59 AM

Not sure why the focus is on geolocation. All 4G LTE phoneshave GPS built in. Since 90% of consumers have that turned on there are more effective ways to get geolocation data--like offering users a free app so they give up their location voluntarily. In short, why would anyone spend all the time seeking out backdoors when they can stroll right in the front door and take all they want?

MJune 13, 2017 9:24 AM

@Bob Dylan's Flaming Hair

But such an attacker still has to install something on the device. In this case someone can get the Cell ID of another user just by sending modified packets. The Cell ID is not nearly as accurate as the GPS location, but, unlike GPS, there is no way to disable it short of turning off the phone.

Clive RobinsonJune 13, 2017 11:38 AM

The "hot button" subject is the free data channels that also potentially get around lawfull access.

Whilst other researchers have, in the past who found free data channels in LTE networks, they have not been as effective as the one discovered by this French research team.

The older attacks used a CDR (charging system) bypass that relied on SIP and RTP (Real-time Transport Protocol) messages.

The method the French team has published uses SIP and SDP (Session Description Protocol) messages to create the unmonitored data tunnels in the LTE networks. Which apparently gives a better solution, but the unmonitored aspect means no Lawful intercept currently.

65535June 13, 2017 11:15 PM

@ Clive
I am a little confused as to who can benefit from the attack – individuals or the NSA?

“…French team has published uses SIP and SDP (Session Description Protocol) messages to create the unmonitored data tunnels in the LTE networks. Which apparently gives a better solution, but the unmonitored aspect means no Lawful intercept currently.” –Clive

Are you saying at this channel is not under the lawful intercept rules?

From the cited paper:

‘4.2 Free Data channel over SDP’

“...Such attacks, if realized with specific SIP methods, can bypass the generation of CDRs (billing) and could potentially bypass Lawful Interception (LI),
depending on the operator’s network architecture maturity as well as the data, saved by LI network elements” –SSTIC2017**** [dot]Pdf

I don’t know if you are saying that the hacker can use this somewhat cumbersome method to avoid lawful intercept methods and not Law Enforcement?

Or, do you describe how the NSA could get around “lawful intercept”?

Doesn’t a lawful intercept have to have a license or subscription to use such monitoring of switches such a Cisco’s and other’s switches? The last I checked one could buy a lawful intercept license or subscription for about 750 USD on certain black market sites. Does a lawful intercept license or subscription ensure the encryption is broken? Or, do lawful intercepts just record the encrypted packets and the metadata [to-from and Call Data Records]?

Next, does this method also break the encrypted message? This assumes you have right Geolocation of the tower or hot-spot. I see “Download Open Data of Mylnikov Geolocation project” and associated api mentioned. I also see that some commenters on his blog indicate many London locations are missing from his database.

See comments:

Does this hack work only with certain chipsets and android OS combinations? Another question is the IPv4 IP "end-to-end" connection used and the so called "depletion of IPv4" problem. Does phone carrier NAT or Port Address Overloading solve the IPv4 depletion problem?

Could this hack be helpful to reporters and human rights advocates?

Clive RobinsonJune 14, 2017 4:07 AM

@ 65535,

Are you saying at this channel is not under the lawful intercept rules?

As the old saying has it "if you can not see it throw a light on it".

In modern networks most things are "in band" to the telco provider be it on an IP based network or lower level "physical layer" protocol from the old X25 forwards in time. Likewise anybody who has the same level of 'on the wire' access as the telco provider, which we assume the NSA has got. But we know the LEO's don't under the terms of Communications Assistance for Law Enforcement Act (CALEA). That is the telco switch tap is at a much higher level and gives the voice data and a limited amount of "pen and tap" call setup data, not the real metadata of the call setup signalling in modern networked VoIP systems.

But when you have vast amounts of mixed voice data and signaling metadata on a wire spotting that a user is using "abusing" signaling metadata as a data channel that is not specified as data is a hard job, especially when the person doing it does it in a non obvious covert way.

But worse unless the software picks up on anomalous behaviour in the signaling metadata it will pass by compleatly unseen. Hence it not being visable to lawfull intercept, or even the snooping behaviour of the NSA. Thus it's not just covert it's a subliminal channel under the existing CALEA rules.

Have a look at Gustavus J. Simmons ideas that gave rise to his 1984 "The Prisoner’s Problem and the Subliminal Channel" paper, which gives rise to the idea of the "subliminal channel", which in effect killed of the ideas for SALT.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.