If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Voice-over-LTE (VoLTE) is a newly adopted voice technology in the LTE network, whose functionality is similar to VoIP. Even though VoLTE works similar to VoIP, implementing it on the cellular network is not an easy problem because it needs many changes at each component of LTE. If these changes are not securely considered, this may lead to several security problems.
In the legacy 3G network, as data and voice are separate, the accounting policies are also different: data is charged based on byte usage, and voice, on time usage. However, in VoLTE, even though voice is delivered as a packet, it is still charged by time usage. Therefore, this strange accounting policy might open free data channels.
Another point is that voice signaling for VoLTE is not handled as in the legacy 3G network. Basically, a phone has two processors: an application processor (AP) which runs mobile OSes such as Android and a communication processor (CP) which manages digital signal processing and radio access. In 3G, voice signaling is handled in CP which makes an attacker hard to manipulate it. However, in VoLTE, because voice signaling is handled in AP, an attacker can easily analyze or modify the call flow. Furthermore, this new change can cause problems to the mobile OS.
To scrutinize these two points, we analyzed 5 operators, two in the U.S and three in South Korea. As a result, we found four free data channels. For free data channels, an attacker can inject data in the call signaling procedure or voice data transmission. Additionally, the attacker can freely send data to the Internet or to another phone in the cellular network through the VoLTE interface. Furthermore, we discovered five security problems which include no encryption of voice packets, no authentication of call signaling, no call session management, IMS bypassing, and permission model mismatch in Android. We responsibly disclosed all the vulnerabilities to US/KR CERTs and Google in May. We suggest mitigations for each vulnerability, and further propose possible attack vectors that researchers can study on.