Hackers Can Spoof Phone Numbers, Track Users Via 4G VoLTE Mobile Technology

An anonymous reader writes: "A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries," reports Bleeping Computer. Researchers say they identified several flaws in the VoLTE protocol (a mixture of LTE and VoIP) that allow an attacker to spoof anyone's phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges. These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device. Some of these flaws don't even need a full call/connection to be established between the victim and the target for the data harvesting operation to take place. Additionally, another flaw allows users to make calls and use mobile data without being billed. The team's research paper, entitled "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone" was presented last week at SSTIC (Symposium sur la Securite des Technologies de l'Information et des Communications), a security conference held each year in Rennes, France.

Interested timing

[houghi]

Just now in the EU you need to register your pre-paid.It used to be that you could go any store, buy a card and be done with it. In Belgium no phones are locked by law.
Because of terrorism we now need to register to get your card activated. Not a real issue as everybody in Belgium already has an ID with chip. The idiots that blew themselves up in Brussels had heaps of phones and SIM cards and used each one only once and trew them away.

At 20EUR for a combo of phone and SIM this was not overly expensive.

Registering was to prevent this. So this will be a new loophole.

Re:Interested timing

"InterestING timing"

FTFY.

In keeping with Slashdot commentary protocols, your minor spelling error has rendered your entire comment, including but not limited to any reasoning contained therein, null and void. Any and all conversational contributions you had hoped to make, whether with good intentions or mischievous, must now be expunged from your plans.

Regards, AC

Re:Interested timing

[citizenr]

you can buy ~$20 pre registered sims in Poland. You can also register them yourself using "third party", all you need is a street bum and a bottle of vodka.

Re:Interested timing

[110010001000]

In the US you can just walk into a store and get a SIM without "registering". You mean in the EU you have to register it with a national ID? How backward!

Re:Interested timing

This hasn't been the case for a few years. They are supposed to be forcing you to purchase a SIM card with a credit or debit card, which has your name plus ZIP code on it. I'm sure some places will still sell them via cash, but there is supposed to be the additional paperwork if that happens..

Re:Interested timing

[OzPeter]

Just now in the EU you need to register your pre-paid.It used to be that you could go any store, buy a card and be done with it.

Back in 2001 I had need to buy a pre-paid cell phone while working in Italy. This requited an Italian resident to show his ID and effectively co-sign for the phone with me. And I can still remember all the paperwork that had to be filled out.

Re:Interested timing

What do you think they do with your SSN for post-paid plans in the U.S.? Or did you not know that it is the de facto national ID, required everywhere?

Re:Interested timing

Not a real issue as everybody in Belgium already has an ID with chip.

That is the assumption, and because it's a standing assumption, you get fscked real hard if you somehow fail to live up to the assumption.

Like your ID lapses and you go to fetch a new one, but the clerk at the office of fscking with citizens says "no". Happened to me, still not fixed. Of course, now it's my fault, though I've done nothing worse than hopping over to the bureaucrazy and asking them to revalidate my card.

It is this sort of stupidity that slowly makes life unlivable for otherwise law-abiding citizens. Moreover, it does exactly nothing to deter a determined evildoer. So "no real issue" easily becomes a disaster for no gain. All it means is that you've let them increase the temperature a bit, mister Frog. Still comfy in you pan? Yes? Good. And for the next trick....

The idiots that blew themselves up in Brussels had heaps of phones and SIM cards and used each one only once and trew them away.

So the next bunch will use something else, like freshly stolen phones, or VoIP over wifi, or hand-held radios, or, well, this. Such improvement, many safer, wow.

Re:Interested timing

[thegarbz]

You can buy SIMs now in America? Welcome to the 90s. When you catch up with the rest of the world you'll be registering them with IDs too ;-) And yes rest of the world. This policy isn't EU specific. It's scattered through countries but it's growing in popularity all over.

Some governments things security is making sure terrorists need to hand over IDs when buying a SIM card. Others think it means checking-in laptops and taking off shoes.

It would seem that no country is quite immune from stupid.

Re:Interested timing

Speak for yourself - European here, I've never registered a SIM card.

Re:Interested timing

[ltcdata]

If you travel to belgium with a roaming enabled prepaid sim card from other country... you can do this anyway... registering the sim will not stop terrorists...

Re: Interested timing

Sure my name is Prepaid Cardholder, zip code barely identifies where I live.

Re: Interested timing

I've been buying SIM cards at local bodega stores since 2002. In the US.

Re: Interested timing

Yep, buying SIMs wherever, whenever, without ID has been a thing ever since GSM was introduced in the States in the late 90s. Even without GSM, you could always buy a burner prepaid CDMA or TDMA phone from a big-box store with cash and activate it standalone by dialing 611.

Getting a phone without ID is and always has been a non-issue. What good is ID, anyway...once you make one phone call to someone you know, the metadata outs you anyway.

Re:Interested timing

[houghi]

This would not be possible in Europe due to the fact that Credit Card Companies can not see your purchases. This is by law. They can see the type of store and guess what you bought, but will never be sure.
e.g. If you use it at the supermarket they have no idea if you bought diapers or wiskey or both. The store itself will only have the transaction number and not hold the card number, so that would be an extra layer of problems.
They would first need to ask the ISP, then ask the store and then ask the CC company.
With registration, all they need is ask the ISP and they will have your national number and with that all the info they need.

Want tro develop software for the ID card reader in Belgium for Linux? No problem: https://github.com/fedict/eid-...

To register all you need to do when you buy a card is put your card in the reader and they will have your details. You do not trust it? Well, read the code.
It is very easy to program in a check to see if the card is valid, stolen or what not.
Main downside is that every reader can read all the details. e.g. it will be able to read your address and there is no way to prevent that.

I use it mainly to do my taxes. Put the card in the card reader on my Linux box, Click on OK a few times as they already have all the info and done. Taxes took me 10 minutes. 8 more than normal, because I forgot I had to re-install the software.

VoLTE

[Rekso]

That is probably true.

SS7

So something found the same SS7 flaws, but in the networks themselves? and not the protocol that interconnects them?

Re:SS7

LTE uses Diameter, but most SS7 attacks are also viable since they underlying messages and commands have identical functions (they have to, otherwise you can't interact with large parts of the telephone network).

This paper describes something else. When you do a call over VoLTE you normally get a dedicated bearer (sort of like a VLAN over LTE) assigned to you to guarantee QoS. On many android phones (same holds for USB LTE modems) this interface becomes visible as a virtual IP based network interface. The VoLTE stack will then setup IPSec on this interface if requested by the network, and finally initiate a SIP/RTP session through it for handling the actual call. They say that a use with root access can run for example run tcpdump on this inferface and eavesdrop on the call. This in itself is not surprising and cause for concern, with root access to the phone you can record directly from the microhpone after all.

More surprising is that they tested some of the SIP servers and that they were poorly secured, being vulnerable to well known SIP attacks: user enumeration, source spoofing and data tunneling (clever...). They also discovered a lot of data leakage in optional headers and protocol ids, including the IMEI and serving cell of the remote party.

I have heard, but have no direct information, that many of these IP bearer based services are almost directly connected to the operators IP core network (firewalling is not supported by many access network components, you would need to add it externally), and thus that traditional software exploitation may work.

"Hackers Can Spoof Phone Numbers"

[nospam007]

No shit, Sherlock. They have been doing that for decades, not only this way.

3G elements no TLS

[johnjones]

so basically VoLTE spec don't see the point in protecting the SIP call correctly and allow anyone on their network to place SIP calls

"Depending on the network operator’s architecture, IPsec tunnels between the UE and the IMS core network will be set up. In this case, we
need to inject data directly into this existing IPsec tunnel, typically, when we want to test active vulnerabilities and replay traffic. The easiest way
to achieve this is to reuse an existing socket used by a legitimate IMS service on Android. Reusing this socket will permit to inject traffic inside
the IPsec tunnel, as the association already was established by the Linux Kernel IPsec stack (Netkey)."

At least they use IPSec but honestly they do not check the keys... deploying all the keys is going to be a major headache, and you have to trust a CA not to screw up...

The solution is to deploy your keys using DANE and DNSsec, most operators are using IPv6 and DNSsec so its not much of a deployment stretch

they also complain that the " utran-cell-id-3gpp value of UE-victim received in SIP 183 Session Progress response" honestly yes if you secured the tunnel then it would not matter

So in conclusion what they are saying is they can do MITM attacks because the operator does not authenticate correctly the IPsec tunnel and trusts all data sent...

the old Russian Proverb "trust but verify" no problem with the SIP just the verification plus tunnel and keys...

I wonder how much money consulting these guys make for setting up a MITM attack... good luck to them

regards

John Jones

Re:3G elements no TLS

> they also complain that the " utran-cell-id-3gpp value of UE-victim received in SIP 183 Session Progress response" honestly yes if you secured the tunnel then it would not matter

They are saying this info is provided to the caller. A secure tunnel only prevents eavesdropping, not someone with valid credentials actively abusing the network (It doesn't take much to become a legitimate user on a network). So I'd say it does matter

Re:3G elements no TLS

Because getting your never seen keys from a centrally controlled and easy as fuck to coerce service is perfectly secure.

Meanwhile this attack was about what again? Oh right a supposedly secure channel being compromised by getting root access on the device, and then using said root access to remotely attest that the device is a different device. So the user knows nothing about the keys they were given, cannot tell if they changed, and it's all pointless anyway because the standard depends on remote attestation (a.k.a the honor system) to confirm identity.

Unless your scheme makes those keys only usable with a locally stored device specific key, your plan is foiled. Nevermind that if you did that, you wouldn't need to distribute keys in the first place, and you still would need to fix the authentication.

Of course from the macro standpoint, the whole "problem" was devices being used to activate the most cowardly of weapons, and even bigger cowards loosing their shit over it and demanding a solution that is actually less secure than the current one. (How would you confirm the ID of the caller? The device may be authentic, but if it's jacked during a bombing by a terrorist, all the cops will find is a victim of a mugging and bombing. More importantly how do you prevent the call from being made? Require registration of every number you intend to call with the state before you can actually call them? Now the cops will find the victim of a mugging, bombing, and attempted murder via threat of lethal force. (A.k.a. *Points gun* "You'll authorize our bomb's number if you want you and your friend / family member / spouse / kid / pet / etc. to live.") Don't think so? They are already committing a terrorist act, what the fuck makes you think that adding mugging / attempted murder / theft / etc. to that already long list of charges and mandatory life sentences is going to change their minds??????)

Backward? Forward?

> How backward!

Unfortunately, it seems "forward" nowadays.

It's something the liberal-authoritarians have been wet-dreaming about for quite a while (remember the Clipper Chip? A liberal-authoritarian wet dream too, btw.)

It is as if they *had* to invent the IS on the one side and the identitaries on the other: now we have liberty for the money, authoritarianism for the people. A political squaring of the circle, if you want.

Well done :-(

Re:Backward? Forward?

"It's something the liberal-authoritarians have been wet-dreaming about..."

Its maybe more rich authoritarians, liberal *and* conservative.

Backdoor anyone

So Chinese found a Five Eyes backdoor, uh, unintended flaw

Re: TROOL3KORE

I think you need immediate medical attention

Good thing it's only "hackers".

There's but a scant few of those. Nobody else would dare, even if they could. Amirite?

How's this news?

[bobbied]

You still are going to require a valid SIM card and/or the carrier's encryption keys to get on their network....

But this is not in any way new...

1. Cloning a phone/SIM has been done for decades and is a common way of "stealing" services.

2. Messing with the SS7 ISUP portion of a call setup allows the spoofing of callerID information, again a technique that's been used nearly as long as SS7 has.

3. Remember those "Stinger" devices the government uses to intercept phone calls? Everything you need to spoof a call is in there, and you are not foolish enough to think only the government has them right?

So how's this news? It's like somebody trying to protect a patent for a rectangular handheld computing device with rounded corners.... Well Duh? How's that innovative or new?

Re:How's this news?

There is the possibility of doing 911/112 calls over VoLTE without a simcard. This would potentially give you access without supplying any information about the handset. The network will likely ask the IMEI and attempt to do active location detection, but you can reply bogus data. The passive localization ('ANYTIME_INTERROGATION') will still yield your location to ~100m or so.

Re:How's this news?

[scdeimos]

So how's this news? It's like somebody trying to protect a patent for a rectangular handheld computing device with rounded corners.... Well Duh? How's that innovative or new?

Something that is news is that you can capture the IMEI of the remote devices that you're calling, without even completing a call. That's something that shouldn't be leaking out of a carrier's network. An attacker could bulk dial many numbers on a network to gather their IMEIs which, since they know what number they called to get each IMEI, could be sold together for nefarious purposes.

Re:How's this news?

3. Yes, only the government has them?

Not really, but I guess the carriers provide them with set up data, keys or what it is that is needed, if not the hardware itself to do the stuff (otherwise I don't know what SS7 means)

Other than the Stingrays or Stingers, is 2G GSM still rather uncompromised to this day? while VoLTE appears to be a bit fucked up. Is 2G the "JPEG" of wireless networks?
If say it gets wholly fucked up next year, what should we move to, UMTS phone calls?

If it hurts profits...

[Videospike]

...it will be fixed quickly.
"Additionally, another flaw allows users to make calls and use mobile data without being billed."
Free use of services by customers is what keeps telecom execs up at night. Well, that and being vampires.

Bit skeptic

The success of such attack depends on Session Border Controller, P-CSCF, ATCF, SCC-AS, MMTel-AS etc. implementation. E.g. P-Asserted-Identity is not likely to be accepted from the user, but generated according to data from HSS (P-CSCF probably). And From is overwritten with that data, too (unless CLIR is used, but that is not relevant). ASs are often B2BUAs, may hiding routing headers, and optionally P-Access-Network-Info.

SDP can be used to transmit data, but often limited to a couple of kBs. Certainly, it can be used instead of text messaging, but you cannot send a million of INVITEs without being banned.

So I am a bit skeptic

Re:Bit skeptic

So I am a bit skeptic

Don't be a bit skeptic. The internet runs on bits, they totally exist.