search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Voice over LTE implementations contain multiple vulnerabilities

Vulnerability Note VU#943167

Original Release Date: 2015-10-16 | Last Revised: 2015-10-20

Overview

Long Term Evolution (LTE) mobile networks are currently deployed through the world. These LTE mobile networks make use of full packet switching and the IP protocol, unlike previous iterations of the mobile network. This change from circuit switching to packet switching allows new attacks not previously possible. Some implementations of LTE networks and mobile applications are currently vulnerable to several issues which may result in loss of privacy, incorrect billing, and data spoofing.

Description

Current LTE networks rely on packet switching, rather than the circuit switching of previous generations of the mobile network. The use of packet switching and the IP protocol (particularly the SIP protocol) may allow for new types of attacks not possible on previous generation networks. Such types of attacks are well-known in the security community; for example, see previous attacks against Voice over IP (VoIP).

The following is a list of vulnerabilities discovered by the security researchers in some current implementations of LTE networks. Note that every carrier has its own implementation, and may not be vulnerable to every issue listed below.

CWE-732: Incorrect Permission Assignment for Critical Resource

The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.

Apple reports that iOS uses a different permission model and is not affected by this particular issue.

CWE-284: Improper Access Control

Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.

CWE-287: Improper Authentication

Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.

CWE-384: Session Fixation

Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.

Each provider/implementation of LTE may be vulnerable to one or more of the above issues.

More information is provided by Kim et. al. in their paper "Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-Implementations" presented at ACM CCS 2015.

Impact

A remote attacker on the provider's network may be able to establish peer-to-peer connections to directly retrieve data from other phones, or spoof phone numbers when making calls. A malicious mobile app for Android may be able to silently place phone calls without the user's knowledge.

Solution

The CERT/CC is currently unaware of a practical solution to these problems.

Each provider must apply updates to their own network as necessary to resolve these issues. However, each provider is vulnerable to a different subset of these issues, so the exact fixes and timelines vary between providers. Concerned customers should contact their service provider for more information.

Vendor Information

943167
Expand all

Google

Updated:  August 19, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

According to the reporter, Google is tracking this issue as it allows bypassing CALL_PHONE permissions in Android.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  August 31, 2015 Updated:  September 25, 2015

Statement Date:   September 24, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Apple does not believe iOS's permissions model is affected.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  May 21, 2015 Updated:  October 19, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The researchers strongly suspect AT&T to be vulnerable but have not currently conducted full tests.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TMobile

Notified:  May 21, 2015 Updated:  October 16, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The researchers identified T-Mobile has not utilizing session management, potentially opening up the network to denial of service and peer-to-peer direct communications.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Verizon

Notified:  May 21, 2015 Updated:  October 19, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The researchers identified Verizon as not utilizing session management, potentially opening up the network to denial of service and peer-to-peer direct communications. The researchers also identified that the Verizon network may be vulnerable to direct communications through the gateway, possibly allowing call spoofing.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 5.5 AV:N/AC:L/Au:S/C:N/I:P/A:P
Temporal 4.7 E:POC/RL:U/RC:UR
Environmental 4.7 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Hongil Kim Dongkwan Kim Minhee Kwon Hyungseok Han Yeongjin Jang Dongsu Han Taesoo Kim and Yongdae Kim for reporting this vulnerability and coordinating with vendors.

This document was written by Garret Wassermann.

Other Information

CVE IDs: None
Date Public: 2015-10-13
Date First Published: 2015-10-16
Date Last Updated: 2015-10-20 15:11 UTC
Document Revision: 75

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.