Researchers hack VoLTE, get free data


Researchers have discovered they can hack voice over LTE implementations on two tier-one mobile carrier networks, gaining access to free data usage or shutting down voice or data access for another user.

recently published paper (pdf) by academics at the University of California Los Angeles, The Ohio State University and Shanghai Jiao Tong University in China outlines a number of vulnerabilities on the device, chipset and network level that made VoLTE hackable, concluding that the “device OS and chipset fail to prohibit non-VoLTE apps from accessing and injecting packets into VoLTE control and data planes. The network infrastructure also lacks proper access control and runtime check.

“Our study stems from a simple rule of thumb in that any major change is probably a source for insecurity,” the researchers wrote. “With the nontrivial changes from [circuit-switched] to [packet-switched] in its core technology, VoLTE may interfere with other system components, thereby inducing new loopholes.”

Security for VoLTE, and LTE in general, has been on the telecom industry radar for some time, with other vulnerabilities identified – such as LTE’s vulnerability to either intentional or un-intentional radio jamming, as explored by Virginia Tech (paper abstract here; or watch a keynote on the topic from the 2015 LTE Innovation Summit).

“The mobile broadband industry’s rapid migration to LTE has opened the door to malicious and non-malicious threats due to fundamental vulnerabilities in the all-IP LTE architecture,” said Stéphane Téral, principal analyst for mobile infrastructure and carrier economics at Infonetics Research, in a statement on the topic as a research focus last year.

The UCLA researchers started their VoLTE hack attempt with three hypotheses in mind:

  • That “identical, PS-based operations for voice and data may open the door to run data over VoLTE.”
  • Because IP forwarding is accessible by the mobile operating systems, VoLTE fundamentally “extends the rigid CS access within the device chipset (hardware), to the more open PS access in software (OS and mobile apps)” and “invalidates the existing protection mechanisms and security defenses for traditional voice.”
  • VoLTE gets prioritized resource allocation, and that “may inadvertently act as the side-channel to leak critical information.”
  • The researchers set up scenarios in which a mobile user on a commodity smartphone with full programmability attacked another mobile user – noting that in their set-up, the attacker has no control over the carrier network and no special privileges on the targeted device, although malware was used to facilitate the denial of voice and data service attacks and the overbilling scenario – perhaps not a far stretch, considering the prevalence of mobile malware. They did ultimately find “the mobile technology standards, the device OS and hardware and the network operations all contribute to the security weakness.”

    Some interesting inherent features of VoLTE are outlined and leveraged by the researchers, including the fact VoLTE is not restricted to voice in operation – it can carry any packet-switched data on the control plane, so the hack tricked VoLTE into enabling two varieties of mobile-to-Internet and mobile-to-mobile data. This, they said, meant either the attacker got free data access or caused a victim to be overbilled, while also hijacking VoLTE’s high priority quality of service in the network.

    The researchers suggested several fixes to the vulnerabilities that they found, including having 4G gateways “enforce strict routing regulation for each bearer;” that operators end “free-signaling policy and charges signals similar to data traffic,” which would require changes and upgrades to billing systems; and put in safeguards that make sure only authentic VoLTE traffic gets priority. On the device side, their suggestions included only allowing dialer apps to access the VoLTE interface and having implementing stringent access control via device chipsets.

    They added they have been working with carriers and a major chipset vendor to address the vulnerabilities, and some of them have already been fixed.

    About Author

    Kelly Hill

    Editor, Big Data, Analytics, Test & Measurement
    Kelly Hill currently reports on network test and measurement, as well as the use of big data and analytics. She first covered the wireless industry for RCR Wireless News in 2005, focusing on carriers and mobile virtual network operators, then took a few years’ hiatus and returned to RCR Wireless News to write about heterogeneous networks and network infrastructure. Kelly is an Ohio native with a masters degree in journalism from the University of California, Berkeley, where she focused on science writing and multimedia. She has written for the San Francisco Chronicle, The Oregonian and The Canton Repository. Follow her on Twitter: @khillrcr