How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls?...
Transcript of How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls?...
![Page 1: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/1.jpg)
1
How secure are your VoLTE and VoWiFi calls?
Priya Chalakkal
![Page 2: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/2.jpg)
2
About me : Priya Chalakkal
o ERNW GmbH, Heidelberg
o Loves telco, pcaps, binaries, logs, protocols and all security stuff in general.
o Completed Masters in Security and Privacy from TU, Berlin and UNITN, Trento.
o https://priyachalakkal.wordpress.com/
o https://insinuator.net/
![Page 3: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/3.jpg)
33
Agendao Introduction
o Fundamentals
o PART1: Attacks on OpenIMS (without IPSec)
o PART2: Attacks on real telecom providers (with IPSec)
o Demo
o Mitigation
![Page 4: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/4.jpg)
4
Introduction - Telephony
Circuit Switched
o PSTN : Public Switched Telephone Networks
o Dedicated circuit – “Channel”
o Roots tracked back to 1876
o Graham Bell got the first patent
Packet Switched
o Data sent as Packets
o Protocol stack: TCP/IP
o Eg:- Internet
o For voice - VoIP
![Page 5: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/5.jpg)
5
Introduction - VoIP
![Page 6: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/6.jpg)
6
Introduction – VoLTE/VoWiFi
VoLTE
o SK Telecom and LG U+Objective South Korea –2012
o Vodafone Germany – VoLTE – March 2015
VoWiFi:
o Telekom Germany – VoWiFi – May 2016
o WiFi Calling
![Page 7: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/7.jpg)
7
FUNDAMENTALS
![Page 8: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/8.jpg)
8
History of Mobile Communication
o GSM (2G) o Relies on Circuit Switching
o Supports only Voice and SMS
o GPRSo Circuit – voice and SMS
o Packet – Data
o UMTS (3G)o Similar to GPRS
o Other network elements evolved
![Page 9: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/9.jpg)
9
Voice and 4G
o LTE (4G): Supports only packet switching
o Voice - VoLTE
o Circuit Switched Fall Back (CSFB)
o For voice, fall back to circuit switched networks.
o Other approaches
o Simultaneous voice and LTE
etc..
![Page 10: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/10.jpg)
10
BACKGROUND
Source: https://en.wikipedia.org/wiki/System_Architecture_Evolution
![Page 11: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/11.jpg)
11
VoLTE Stack
![Page 12: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/12.jpg)
12
IMS – IP Multimedia Subsystem
o Backend: IMS Core
o IP Multimedia Subsystem
o Call session control functions (CSCF)
o P-CSCF
o S-CSCF
o I-CSCF
![Page 13: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/13.jpg)
13
IMS
![Page 14: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/14.jpg)
14
IMS Signaling
SIP - Session Initiation Protocol
o Similar to HTTP (text based)
o TCP or UDP
o Contains SDP
o Session Description Protocol
o Describing multimedia session
o Eg:- audio/video type
![Page 15: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/15.jpg)
15
SIP call session
![Page 16: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/16.jpg)
16
![Page 17: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/17.jpg)
17
PART1: Attacking OpenIMS
![Page 18: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/18.jpg)
18
Requirements
o OpenIMS
o SIP Proxy
o Viproy toolkit for Attack1
o IMS clients – twinkle (in ubuntu), boghe (in windows)
![Page 19: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/19.jpg)
19
![Page 20: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/20.jpg)
20
Attack modeling
o VoLTE and VoWiFi makes use of SIP
o This is experimental tests on OpenIMS with desktop clients
o Mainly SIP header injection
o Without IPSec in any communication
o Both attacker and victim is a registered user.
![Page 21: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/21.jpg)
21
Attack1: MSRP fuzzing
o MSRP – protocol for transmission of series of related instant messages in context of communication session
o Evil sends fuzzed input in one of the MSRP header field to Alice
o a=file-selector:name:”AAAAAAAAAAA…”
o This is an automated test vector in Viproytoolkit.
![Page 22: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/22.jpg)
22
Result 1
o Crashes the IMS client of Receiver(Boghe IMS client is used in this case)
o Neither IMS nor client performed input validation.
![Page 23: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/23.jpg)
23
Result1: MSRP fuzzing
Source: Fatih Ozvaci- Voip wars: The phreakers awaken
![Page 24: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/24.jpg)
24
Attack2: Location manipulation
o P-Access-Network-Info - defines the user location in the access network
o Contains information such as:
o Mobile Network Code (MNC)
o Mobile Country Code (MCC)
o Local Area Code (LAC)
o Cell Identifier
o The attacker sends an INVITE request to Alice with a crafted location.
![Page 25: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/25.jpg)
25
Result2
o Modified P-Access-Network-Info is accepted by IMS and sent to Alice
o No cross validation with HSS for user location.
o Can evade lawful interception techniques.
o NOT about privacy
![Page 26: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/26.jpg)
26
Attack3: Roaming Information
o P-Visited-Network-ID header field that decides the access network that serves the user.
o Attacker sends a REGISTER request to IMS with an pre-added P-Visited-Network-IDheader.
![Page 27: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/27.jpg)
27
Result3
o P-CSCF just appends the network identity to the existing header field
o Attacker can use this to make his roaming calls as local calls
Output from S-CSCF packet dump:
P-Visited-Network-ID: open-ims_fake.test, open-ims.test
![Page 28: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/28.jpg)
28
Attack4: Extra header field
o SIP protocol is an extensible protocol
o Allows to add customized header fields
o Evil sends an INVITE request to Alice containing a custom header field X-Header
![Page 29: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/29.jpg)
29
Result4
Source https://insinuator.net/2017/02/exploitation-of-ims-in-absence-of-confidentiality-and-integrity-protection/
![Page 30: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/30.jpg)
30
More attack possibilities
o Spoofing
o Injection – XML, SQL,
o Denial of Service
o Fuzzing
o …
o …
![Page 31: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/31.jpg)
31
Attacking OpenIMS summary
o 4 attacks on OpenIMS
o MSRP fuzzing
o User location manipulation
o Roaming information manipulation
o Extra header field injection
o These are Man in the End attacks
o Without IPSec
![Page 32: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/32.jpg)
32
How to prevent tampering SIP Attacks?
o Bring integrity protection?
o Can IPSec solve this?
o Many real telecom provides actually have IPSecin place.
o Can we still mess with SIP headers in real providers?
![Page 33: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/33.jpg)
33
PART2: ATTACKING TELECOM PROVIDERS
![Page 34: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/34.jpg)
34
Requirements
o VoLTE/VoWiFi enabled SIM cards
o SIMTrace hardware
o VoLTE/VoWiFi enabled phones
o Wireshark - Gcrypt
http://shop.sysmocom.de/products/simtrace
![Page 35: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/35.jpg)
35
Attack modeling
o Sniffing VoLTE – rmnet0, rmnet1
o Sniffing VoWiFi – epdg1, wlan0
o Sniffing ISIM interface using SIMTrace
o IPSec
o ESP encapsulation for both VoLTE and VoWiFi
o Integrity protection enabled for VoLTE/VoWiFi
o Encryption for VoWiFi (only in wlan0)
![Page 36: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/36.jpg)
36
ESP Packets
![Page 37: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/37.jpg)
37
Test 1: Sniffing VoLTE/VoWiFi Interfaces
Sniffing VoLTE interface :
$ adb shell
$ tcpdump -i rmnet1 -n -s 0 -w - | nc -l 127.0.0.1 -p 11233
$ adb forward tcp:11233 tcp:11233 && nc 127.0.0.1 11233 | wireshark -k -S -i -
o VoLTE – rmnet1/rmnet0
o VoWiFi –o Epdg1 – hidden virtual interface with non-encrypted traffic
o Wlan0 – encrypted traffic
![Page 38: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/38.jpg)
38
VoLTE sniffing
VoWiFi sniffing
![Page 39: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/39.jpg)
39
Observations
o No encryption in VoLTE
o Only integrity with ESP
o Encryption in VoWiFi
o Hidden interface with non-encrypted trafficdetected in VoWiFi
![Page 40: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/40.jpg)
40
Results1: Information disclosures
![Page 41: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/41.jpg)
41
o IMEI in SIP REGISTER (before authentication)
Contact:
<sip:262011202xxxxxx@[x.x.x.x]:6000>;q=0.50;+g.3gpp.icsi-ref=
"urn%3Aurn-7%3A3gpp-service.ims.xxx";
+g.3gpp.smsip;+sip.instance="<urn:gsma:imei:35490xxx-xxxxxx-0>"
![Page 42: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/42.jpg)
42
o UTRAN Cell ID
o outgoing packets like SIP REGISTER, outgoing SIP INVITE, SIP SUBSCRIBE messages contains the location information
##FOR VOLTEINVITE sip:[email protected] SIP/2.0...User-Agent: Samsung IMS/5P-Access-Network-Info: 3GPP-UTRAN-TDD; utran-cell-id-3gpp=00000001Content-Length: 117
##FOR VOWIFIP-Access-Network-Info:IEEE-802.11;i-wlan-node-id=003a9axxxxxx
![Page 43: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/43.jpg)
43
o IMEI of caller
o SIP INVITE incoming request consists of a parameter that contains the IMEI number of the caller.
Accept-Contact:*;+sip.instance="<urn:gsma:imei:354xxxxx7-xxxxxx-0>";+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.xxxx";explicit;require
![Page 44: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/44.jpg)
44
o IMSI of caller leaked
o In SIP INVITE incoming request
INVITE sip:262011202xxxx@[x.x.x.x]:6000 SIP/2.0
![Page 45: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/45.jpg)
45
Private IP of IMS
o Found within SIP INVITE in incoming calls
To: <sip:[email protected]>
From: <sip:[email protected]>;
tag=h7g4Esbg_mavodi-a-10b-3c-2-ffffffff-
_000050ED9CA4-1224-xxxx-xxxx
![Page 46: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/46.jpg)
46
Test 2: ISIM sniffing for extracting CK/IK
![Page 47: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/47.jpg)
47
ISIMsniffing with SIMTrace
![Page 48: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/48.jpg)
48
Security protocol: EAP-AKA
![Page 49: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/49.jpg)
49
GSM SIM traffic
![Page 50: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/50.jpg)
50
What can we find here?
o AKA parameters –
o RAND - random challenge
o AUTN – server authentication
o IPSec keys
o IK – integrity key
o CK – cyphering key
![Page 51: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/51.jpg)
51
How to extract it?
o Wireshark dissector
![Page 52: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/52.jpg)
52
Result2: Extracting IK/CK
![Page 53: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/53.jpg)
53
Are the keys used in ESP?
![Page 54: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/54.jpg)
54
Failed authentication
![Page 55: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/55.jpg)
55
Set up SA with obtained IK
![Page 56: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/56.jpg)
56
Success: Key validation
![Page 57: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/57.jpg)
57
Summary: Testing UE
o Test1: Sniffing VoLTE/VoWiFi interfaces
o Use case identification
o Results: Information disclosures like IMEI, IMSI, private IPs.
o Test2: ISIM sniffing with SIMTrace
o Result: IK/CK
o Wireshark dissector for extraction
o Validation using Wireshark Gcrypt with authentication check in ESP
![Page 58: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/58.jpg)
58
Simple demo of replay attack of SIP INVITE in a hidden non-IPSec channel
![Page 59: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/59.jpg)
59
Final Summary
o Current implementations of VoLTE/VoWiFi make use of IPSec
o 4 experimental attacks on OpenIMS without ipsec
o Sniffing on VoLTE/VoWiFi interfaces with ipsec
o Information disclosures identified
o ISIM Sniffing with SIMTrace
o Wireshark dissector
o Extracted CK/IK
o Verified obtained IK with wireshark Gcrypt
![Page 60: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/60.jpg)
60
Mitigation
o Never rely on user end security
o Traffic monitoring
o In PDN gateways that performs deep packet inspection
o Whitelist rules in place that determines the expected value in each SIP header field.
o Encryption
o To protect against info disclosures
![Page 61: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/61.jpg)
61
##IPTABLES ON ANDROID TO ROUTE TRAFFIC TO LAPTOP AND BACK
iptables -F
iptables -t nat -F
echo 1 > /proc/sys/net/ipv4/ip_forward
RMNET=`ip addr show dev rmnet1 |grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}"`
WLAN=`ip addr show dev wlan0 | grep inet | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -v 255`
IMS="10.0.0.1"
MITM="192.168.0.2"
iptables -t nat -A OUTPUT -d $IMS -j DNAT --to-destination $MITM
iptables -t nat -A POSTROUTING -o wlan0 -d $MITM -j SNAT --to-source $WLAN
iptables -t nat -A POSTROUTING -o rmnet1 -s $MITM -d $IMS -j SNAT --to-source $RMNET
iptables -t nat -L -vn
![Page 62: How secure are your VoLTE and VoWiFi calls? - … · 1 How secure are your VoLTE and VoWiFi calls? Priya Chalakkal](https://reader033.fdocuments.in/reader033/viewer/2022061606/5b789b887f8b9ade548c8f38/html5/thumbnails/62.jpg)
62
www.ernw.de
www.insinuator.net
Questions?
White paper: https://www.ernw.de/download/newsletter/ERNW_Whitepaper_60_Practical_Attacks_On_VoLTE_And_VoWiFi_v1.0.pdf
Thanks to Hendrik, my mentor.
@priyachalakkal