November 4, 2015

Voice as a threat: VoLTE, a new tool to compromise mobile networks

News Security Technology Threats

While communication technology providers are seeking consensus over the future of 5G networks, carriers are wasting no time in rolling out new technologies available for the current 4G networks. Voice over LTE or simply VoLTE is one of these technologies. VoLTE allows transmitting voice calls over data layers.

Something's wrong with VoLTE

What exactly does that mean? Well, let us explain some technical details. Today’s cellular networks employ three ‘planes’: data, voice and control. We typically use the data plane for mobile Internet, and the voice plane for voice calls. The third plane, to put it simply, is used to manage everything what happens on the other two planes.

Traditional cellular networks handle voice calls through dedicated circuits. However, the 4G technology allows for the prioritization and transmission of voice traffic as packets with higher priority via the data plane. That is essentially VoLTE. The control plane packets have the highest priority. In essence, VoLTE is a sort of IP telephony (VoIP) adapted for use over cellular networks.

VoLTE brings a handful of benefits. First, ubiquitous VoLTE deployment will render existing 2G/3G infrastructures impractical and thus not necessary to support, since VoLTE won’t require a separate infrastructure to handle voice calls. Secondly, VoLTE offers higher bandwidth compared to 3G in boosting the voice quality.

The third benefit is that VoLTE can be used for video conferencing. Last but not least, mobile carriers claim VoLTE offers better call privacy and faster connection. All in all, it looks like VoLTE has a number of critical benefits with no particular drawbacks. At least upon first impression.

As it usually happens, every breakthrough technology has its growing pains. Researchers from the University of California, in joint effort with their colleagues of Shanghai Jiao Tong University and the Ohio State University, demonstrated practical attacks on VoLTE in two US Tier-1 carriers’ networks.

The researchers managed to demonstrate how a criminal can drop all of the victim’s calls, or to increase the amount of charges on the victim’s cellular bill, or vice versa to gain free mobile data access. The interesting thing is that criminals don’t need to hack networks to achieve their goals, or use expensive equipment to carry out the attacks. All they need is an unrooted or rooted smartphone.

The researchers’ key finding is that one can fool VoLTE and send ordinary data packets masqueraded as ‘the high priority’ signal or voice packets

This means that a potential attacker can have carte blanche. Signal packets are not charged for, so once you use this ‘wrapper’ for ordinary data packets, you can be freed from a responsibility of paying for your data plan. To offer a proof of concept, the researcher had a 10-minute Skype call and the carrier never registered their consumption of data traffic.

The signal (control) plane has the highest priority, which opens a pool of opportunities to culprits. If you jam up this layer with data packets masqueraded as signal packets, the signal packets won’t have enough bandwidth available. This method could be a means of cutting network access to someone or to launch a targeted attack and arrange network downtime by jamming it with faux signal packets.

Finally, attackers can use the same method to flood the victim with data packets which, provided the victim does not employ an unlimited data plan, might mean a lot of extra charges the target would need to pay to the carrier. Moreover, such attacks are not detected by firewalls, which are there to filter malicious traffic. In such an attack, a legitimate mobile traffic is used, which makes firewalls unable to detect an attack.

All of the above concerned the ability to transfer data packets via the signal (control) plane, but the same approach could work on the voice plane as well. For example, the researchers managed to subdue a voice call over VoLTE: a victim would accept the call but couldn’t hear anything, as voice packets were lost in the flood of faux signal packets.

The researchers offer a handful of solutions to at least partially solve the issues; both carriers whose networks were probed during the research have already deployed some of them.

Countries like Germany or Russia have just started to roll out VoLTE services – so it may well be the case that all the carriers won’t be that fast patching the vulnerabilities.

Unfortunately, some of the vulnerabilities cannot be patched without making changes in VoLTE as a standard. Of course, carriers would be more vigilant of what happens in their networks and make sure to cut off the transmission of the signal traffic between any devices, except for legitimate connections between a phone and a signal server, but it is never enough.

To fix all VoLTE issues, there is a need for a joint effort of OEMs, chipset vendors, carriers and standardization bodies.

That’s the reason why the researchers try to widely publicize this problem: the more widely acknowledged the problem would become, the faster the solutions would be found.

Users, on their end, should treat their mobile security more seriously: in order to carry out the described attacks, adversaries would have to install a malicious app on smartphones. Such mobile malware is very likely to be detected by a good security software.

And, finally, the absolute majority of popular devices and 4G active networks don’t support VoLTE at all so far. Let us hope that, by the time VoLTE becomes a ubiquitous service, all security issues will be solved.