Hackers Can Spoof Phone Numbers, Track Users Via 4G VoLTE Mobile Technology

An anonymous reader writes: "A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries," reports Bleeping Computer. Researchers say they identified several flaws in the VoLTE protocol (a mixture of LTE and VoIP) that allow an attacker to spoof anyone's phone number and place phone calls under new identities, and extract IMSI and geo-location data from pre-call message exchanges. These issues can be exploited by both altering some VoLTE packets and actively interacting with targets, but also by passively listening to VoLTE traffic on an Android device. Some of these flaws don't even need a full call/connection to be established between the victim and the target for the data harvesting operation to take place. Additionally, another flaw allows users to make calls and use mobile data without being billed. The team's research paper, entitled "Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone" was presented last week at SSTIC (Symposium sur la Securite des Technologies de l'Information et des Communications), a security conference held each year in Rennes, France.

Re:Interested timing

[110010001000]

In the US you can just walk into a store and get a SIM without "registering". You mean in the EU you have to register it with a national ID? How backward!

Re:SS7

LTE uses Diameter, but most SS7 attacks are also viable since they underlying messages and commands have identical functions (they have to, otherwise you can't interact with large parts of the telephone network).

This paper describes something else. When you do a call over VoLTE you normally get a dedicated bearer (sort of like a VLAN over LTE) assigned to you to guarantee QoS. On many android phones (same holds for USB LTE modems) this interface becomes visible as a virtual IP based network interface. The VoLTE stack will then setup IPSec on this interface if requested by the network, and finally initiate a SIP/RTP session through it for handling the actual call. They say that a use with root access can run for example run tcpdump on this inferface and eavesdrop on the call. This in itself is not surprising and cause for concern, with root access to the phone you can record directly from the microhpone after all.

More surprising is that they tested some of the SIP servers and that they were poorly secured, being vulnerable to well known SIP attacks: user enumeration, source spoofing and data tunneling (clever...). They also discovered a lot of data leakage in optional headers and protocol ids, including the IMEI and serving cell of the remote party.

I have heard, but have no direct information, that many of these IP bearer based services are almost directly connected to the operators IP core network (firewalling is not supported by many access network components, you would need to add it externally), and thus that traditional software exploitation may work.