What we have published

Fill 4

ERNW White Paper 60

Practical Attacks on VoLTE and VoWiFi

Voice over LTE (VoLTE) as well as Voice over WiFi (VoWiFi) are variants of Voice over IP that makes use of IP Multimedia Subsystem (IMS) in its backend. In this paper, we identify five different attacks on VoLTE/VoWiFi. This includes mainly (i)sniffing VoLTE/VoWiFi interfaces, (ii)extracting IPSec keys from IP Multimedia Services Identity Module (ISIM) that is embedded within the SIM card, and (iii)performing three different kinds of injection attacks in Session Initiation Protocol (SIP) headers that are used for signaling of VoLTE/VoWiFi. As a result of VoLTE/VoWiFi sniffing, we identified information disclosures such as leaking IMSI, IMEI, location of users and private IP of IMS. We also managed to extract the ciphering key and the integrity key (CK/IK) used for IPSec from ISIM with the help of a hardware device called SIMTrace [1]. We also discuss three different SIP header injection attacks that enables location manipulation and side channel attacks. It is important to note here that all these attacks are valid on the current 3GPP standards that are used by telecom providers. Thus, understanding the attacks and mitigating them is of high relevance.