Uncovering IMS Insecurity via VoWiFi in 4G LTE Networks

• Main Authors: Li, Yao-Yu, 李曜宇
• Other Authors: Li, Chi-Yu
• Format: Others
• Language: en_US
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/4dyxmb

碩士 === 國立交通大學 === 資訊科學與工程研究所 === 106 === Cellular networks introduce VoWiFi (Voice over WiFi) to complement conventional cellular calls for weak cellular signals. It allows cellular calls to be made through WiFi. Similar to VoLTE (Voice over LTE), it is enabled by an IMS (IP Multimedia Subsystem) system in the core network. However, at the end device, VoWiFi is supported fully by the software within the mobile OS but not by the cellular modem. It implies that once the root privilege of the mobile OS can be obtained (e.g., Android), the VoWiFi’s operation and network traffic may be wiretapped and hacked. Such design will expose the IMS system to security threats if the IMS is not well protected. In this work, we examine the IMS insecurity by leveraging two VoWiFi operations: call setup and call voice session. We discover five vulnerabilities totally: SIP forging, no defense against INVITE flooding, multiple outgoing calls, unprotected access to voice session, and no context-aware check of voice packets. We validate them in real cellular networks and identify their root causes. On top of them, we devise three novel attacks: hidden data transmission, cellular call DoS, and emergency hotline DoS. We finally evaluate the damages of the attacks and propose recommended solutions.