VoLTE can be abused to track and spoof users

Researchers have identified multiple flaws in voice over long term evolution (VoLTE) implementations that allow attackers to spoof and surveil users, and bypass billing and lawful interception capabilites for calls and data.

VoLTE is part of the 4G LTE standard, and uses voice over internet protocol (VoIP) open standards over IP multimedia system (IMS) networks. It offers higher call quality than 2G and 3G mobile voice services, with improved narrow and wideband audio encoders/decoders.

All mobile telcos in Australia offer VoLTE, and the feature is available to subscribers in 55 countries via 104 operators, researchers from French vendor P1 Security said.

By using a rooted (superuser enabled) Android device and a 4G SIM card, the researchers were able to attack subscribers and operator infrastructure via VoLTE [pdf].

By eavesdropping on the network interface set up by VoLTE implementations on Android phones like Samsung's Galaxy S6, the researchers were able to interact with the open standard session initiation protocol (SIP) used for setting up calls, and the session description protocol (SDP), which provides media information.

Even when the operator uses IPsec authentication and encryption, the researchers were able to sniff SIP traffic and inject data into the protected tunnel between the user device and the operator network.

As SDP is text-based, the researchers were able to inject arbitrary strings into the protocol headers without triggering operator protection mechanisms, and obtain a free data channel between the device and mobile network.

This vulnerability could be used to make free calls and bypass operator billing. It could also be used to get around lawful interception set up by police or other authorities, the researchers noted.

Users can also be identified through VoLTE by analysing SIP OPTIONS messages. Sending modified SIP INVITE messages lets attackers enumerate users on the IMS.

Attackers can also manipulate header fields in SIP INVITE requests, to make it appear as if the calls came from a different phone number - so-called spoofing.

SIP leaks technical information, allowing attackers to fingerprint operator network equipment. The researchers suggested operators sanitise headers of SIP 200 OK messages to stymie attackers wanting to map out their networks.

Likewise, SIP 183 session progress responses can be used to discover users' international mobile equipment identifiers (IMEI). Mobile operators should sanitise the contact headers of the responses to prevent this, the researchers said.

It is also possible to use SIP INVITE requests to find users via the network utran-cell-id code that provides mobile country codes (MCCs) and location area codes (LACs), and identifies the operator used by the subscriber.

Bad default vendor configurations on network infrastructure equipment could also expose operators to the VoLTE vulnerabilities, the researchers said.