Hackers Can Spoof Phone Numbers, Track Users via 4G VoLTE Mobile Technology

[Batu69]

 

A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries.

 

VoLTE stands for Voice Over LTE — where LTE stands for Long-Term Evolution and is a high-speed wireless communication for mobile phones and data terminals, based on older GSM technology.

 

In simpler terms, VoLTE is a mash-up between LTE, GSM, and VoIP, a technology used for Voice-over-the-Internet communications. The protocol rolled out in 2012 in South Korea and Singapore and has become very popular because it blends the benefits of old circuit-switched protocols (stability) with the benefits of modern IP protocols (call quality & speed).

 

Because VoLTE looks primed to spread to all operators across the globe, P1 Security experts have conducted an audit of this new technology. Their findings, documented in a research paper, reveal serious flaws that could be exploited by attackers only with an Android phone connected to a mobile network.

 

Researchers say they identified both "active" vulnerabilities (that require modifying special SIP packets) and "passive" vulnerabilities (that expose data via passive network monitoring or do not require any SIP packet modification). Below is a list summarizing the team's findings:

User enumeration using SIP INVITE messages

SIP (Session Initiation Protocol) INVITE messages are exchanged when phone calls via VoLTE are initiated, being the first messages exchanged (graph below on the page). These messages are the first ones sent from the caller to the callee, and the message passes through all the mobile networking equipment that supports the call.

 

Researchers say that an attacker on the same network can send modified SIP INVITE messages to brute-force the mobile provider and get a list of all users on its network.

Free data channel over SDP

As the vulnerability's name implies, this flaw allows a VoLTE customer to exchange data (phone calls, SMS, mobile data) via VoLTE networks without initiating the CDR module, responsible for billing.

 

There have been other researchers in the past who found free data channels in VoLTE networks, but their methods used a CDR bypass that relied on SIP and RTP (Real-time Transport Protocol) messages.

 

The method the P1 team discovered relies on attackers using SIP and SDP (Session Description Protocol) messages to create unmonitored data tunnels in VoLTE networks.

This could be an issue with lawful interception (surveillance) because it allows possible crime suspects a way to create covert data communications channels.

User identity spoofing through SIP INVITE message

Attackers can modify certain headers in SIP INVITE messages and place calls using another user's MSISDN (phone number).

Mobile networking equipment does not verify if the SIP INVITE header information is correct, taking the caller's identity at face value.

 

 

Researchers warn that this is a "critical" issue that may result in attackers accessing another person's voice mail, or could cause problems for law enforcement monitoring criminals, who would be able to avoid surveillance by placing calls from another phone number.

 

Not mentioned by researchers, but a plausible scenario, is if tech support scammers would spoof the phone numbers of legitimate companies to call customers and obtain sensitive information such as passwords, card PINs, and other.

VoLTE equipment fingerprinting and topology discovery

This vulnerability allows an attacker to fingerprint network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone.

According to the research team, this finely detailed data about the mobile telco's network setup can be found in "200 OK" messages the phone receives when connecting to the mobile network

 

Researchers recommend that mobile telcos sanitize the headers of "200 OK" messages and remove any equipment info that may allow an attacker to create a virtual map of its network. This information is dangerous because it allows threat actors to plan and carry out finely-tuned attacks against the mobile operator.

Leak of the victim's IMEI

Researchers discovered that by watching VoLTE traffic on an Android that's initiating a call, intermediary messages exchanged before establishing a connection reveal information about the callee (victim)'s IMEI number.

 

These intermediary messages are "183 Session Progress" SIP messages, and the diagram below shows their location in the normal progression of a VoLTE connection before the phone call is established.

 

 

Researchers say this attack doesn't need for a phone call to be established, and miscreants can drop the call after they collected the target's IMEI.

International Mobile Equipment Identity (IMEI) is a serial number unique to all mobile phones. They are unique per phone and are generally used to block (stolen) devices from accessing a mobile network.

Leak of the victim's personal information

Similarly to the attack above, researchers also discovered that the same "183 Session Progress" SIP messages can also leak more detailed information about victims.

This information is stored in another section of the "183 Session Progress" SIP message header and contains details about the victim's "UTRAN CellID", which is the unique identifier of a physical antenna the callee (victim) is using to receive the call.

 

In other words, attackers could initiate shadow calls, detect the victim's approximate location, and hang up before the phone call is established.

 

 

For the latter two attacks, the research team recommends that mobile operators strip or sanitize these 183 SIP message headers, so they only reach the necessary equipment to support a call, and not the attacker's smartphone.

 

The team's research paper, entitled "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone" was presented last week at SSTIC (Symposium sur la Sécurité des Technologies de l'Information et des Communications), a security conference held each year in Rennes, France.

 

Article source

[Sylence]

VoWiFi should be better

[straycat19]

7 hours ago, saeed_dc said:

VoWiFi should be better

 

Right, because it takes a real 6 year old to hack WiFi.  Everybody hacks WiFi, now there are devices the size of a cell phone that don't require the user to do anything but carry it.  Devices with WiFi enabled always look for a network so this device says "Here I am" and lets the device send its login and password to connect.  Now the user has the SSID of the WiFi network and the login data, plus any other data that is sent, like automatic email logins, when WiFi is detected.

 

You really think that is more secure than the current system that has only been hacked by a "team of researchers" under controlled conditions with no safeguards that would detect their hacking attempts and prohibit them.  The thing you always have to remember is that any hack that isn't done in the wild isn't one that is likely to ever be done because the set of "perfect conditions", in all probability, will never exist outside the lab.

[Sylence]

8 hours ago, straycat19 said:

 

Right, because it takes a real 6 year old to hack WiFi.  Everybody hacks WiFi, now there are devices the size of a cell phone that don't require the user to do anything but carry it.  Devices with WiFi enabled always look for a network so this device says "Here I am" and lets the device send its login and password to connect.  Now the user has the SSID of the WiFi network and the login data, plus any other data that is sent, like automatic email logins, when WiFi is detected.

 

You really think that is more secure than the current system that has only been hacked by a "team of researchers" under controlled conditions with no safeguards that would detect their hacking attempts and prohibit them.  The thing you always have to remember is that any hack that isn't done in the wild isn't one that is likely to ever be done because the set of "perfect conditions", in all probability, will never exist outside the lab.

 

Everybody hacks WiFi? only WPS enabled WiFi routers are hacked easily, from (few seconds if the router uses default pin to few hours if it doesn't)

 

with most people using WPA2-AES as their WiFi security, the only thing you can do if so lucky is to grab the WPA handshake and yes it can take even more than 6 years to decrypt it, even that requires you to have network adapter with packet injection capabilities. imagine if the user uses a 18 characters length password with upper case lower case numbers symbols characters in the password. lol good luck WiFi hacking.