Zhiwei Cui,Baojiang Cui,Junsong Fu,Renhai Dong

DOI: https://doi.org/10.1155/2022/7395128

IF: 1.968

2022-09-05

Security and Communication Networks

Abstract:With the rapid development of 5G SA (standalone) networks, increasing subscribers are motivated to make calls through 5G. To support voice services critical to mobile users, 5G SA networks adopt two solutions: VoNR (Voice Over New Radio) and EPS (Evolved Packet System) fallback. At this stage, 5G SA networks provide voice services through EPS fallback, which leverages 4G networks to support voice calls for 5G users. This switch between cellular network systems may expose vulnerabilities to adversaries. However, there is a lack of security research on voice services in the 5G SA network. In this paper, we analyze the security of EPS fallback and its closely related IMS from the perspective of the protocol and the practices of the carriers. We uncover two protocol design vulnerabilities and two implementation flaws. In addition, we exploit them to design three attacks: voice DoS, voice monitoring, and SMS spoofing and interception. We validated these vulnerabilities and attacks using SDR (software-defined radio) tools and a set of open-source software in three mobile carriers. Our analysis reveals that the problems stem from both specifications and carrier networks. We finally propose several potential countermeasures to defend these attacks.

computer science, information systems,telecommunications

Tian Xie,Guan-Hua Tu,Bangjie Yin,Chi-Yu Li,Chunyi Peng,Mi Zhang,Hui Liu,Xiaoming Liu

DOI: https://doi.org/10.48550/arXiv.1811.11274

2018-11-29

Abstract:Since 2016, all of four major U.S. operators have rolled out nationwide Wi-Fi calling services. They are projected to surpass VoLTE (Voice over LTE) and other VoIP services in terms of mobile IP voice usage minutes in 2018. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS (IP Multimedia Subsystem) technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrustful Wi-Fi networks and the Internet. This exposure to insecure networks may cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA (Authentication and Key Agreement), IPSec (Internet Protocol Security), etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first study of exploring security issues of the operational Wi-Fi calling services in three major U.S. operators' networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover four vulnerabilities which stem from improper standard designs, device implementation issues and network operation slips. By exploiting the vulnerabilities, together with several state-of-the-art computer visual recognition technologies, we devise two proof-of-concept attacks: user privacy leakage and telephony harassment or denial of voice service (THDoS); both of them can bypass the security defenses deployed on mobile devices and the network infrastructure. We have confirmed their feasibility and simplicity using real-world experiments, as well as assessed their potential damages and proposed recommended solutions.

Cryptography and Security

Zishuai Cheng,Mihai Ordean,Flavio Garcia,Baojiang Cui,Dominik Rys

DOI: https://doi.org/10.56553/popets-2023-0053

2023-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:Voice over LTE (VoLTE) and Voice over NR (VoNR), are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.

English Else

Guan-Hua Tu,Chi -Yu Li,Chunyi Peng,Zengwen Yuan,Yuanjie Li,Xiaohu Zhao,Songwu Lu

DOI: https://doi.org/10.1145/2873587.2873604

2016-01-01

Abstract:VoLTE is the designated voice solution to the LTE network. Its early deployment is ongoing worldwide. In this work, we report an assessment on VoLTE. We show that VoLTE offers no categorically better quality than popular VoIP applications in all tested scenarios except some congested scenarios. Given the high cost on infrastructure upgrade, we argue that VoLTE, in its current form, might not warrant the deployment effort. We sketch VOLTE*, a lightweight voice solution from which all parties of users, LTE carriers, and VoIP service providers may benefit.

Na Ruan,Qi Hu,Lei Gao,Haojin Zhu,Qingshui Xue,Weijia Jia,Jingyu Cui

DOI: https://doi.org/10.1109/glocom.2016.7841555

2016-01-01

Abstract:With rapid growth of LTE network and Voice-over-LTE(VoLTE), detecting and preventing security threats like Denial of Service attack becomes a necessary and urgent requirement. VoLTE is an voice solution based on Internet Protocol and 4G LTE technology, at the same time exposing many vulnerabilities when using packet-switched network. There are many heavy weighted detection systems using content analysis, while high demands of computing resource constraint their practical use. In this paper, we purpose a lightweight detection scheme for VoLTE network security, based on analysis of data traffic flow. To optimize parameters in our scheme, we formulate a Bayesian game model. Bayesian game has the features of incomplete information and asymmetry, similar to practical attack-defense model. Besides, The dynamic Bayesian game is more realistic, since both sides can update believes about their opponents. Simulation results provide some guidances on parameter selection, as well as verifying the superiority of our scheme.

Yaru Yang,Yiming Zhang,Tao Wan,Chuhan Wang,Haixin Duan,Jianjun Chen,Yishen Li

DOI: https://doi.org/10.1145/3643833.3656131

2024-01-01

Abstract:5G messaging services, based on Global System for Mobile Communications Association (GSMA) Rich Communication Service (RCS) and 3rd Generation Partnership Project (3GPP) IP Multimedia Subsystem (IMS), have been deployed globally by more than 90 mobile operators serving over 421 million monthly active users via 1.2 billion devices. Despite the widespread use, security research of 5G messaging remains sparse. In this paper, we present a comprehensive security analysis and measurement of 5G messaging services, assisted by a semi-automated testing tool we developed. We considered both carrier-side deployment and phone-side software implementations by testing against three large operators, each with hundreds of millions of subscribers, and six popular 5G messaging-enabled devices. We uncovered 4 categories of vulnerabilities, allowing for a wide range of attacks, including Man-In-The-Middle (MITM) attacks, zero-click remote information leakage, phone storage exhaustion and mobile data consumption, and Denial-of-Services (DoS) attacks. Our study underscores the need for further security enhancements in security specifications, implementation, and deployment of 5G messaging services.

Shen Zhang,Lu Zhou,MingLi Wu,Zhushou Tang,Na Ruan,Haojin Zhu

DOI: https://doi.org/10.1109/vtcfall.2016.7880916

2016-01-01

Abstract:Due to the worldwide deployment of Long Term Evolution (LTE), the fourth-generation (4G) mobile cellular networking technology, Voice over LTE (VoLTE) [2] has been also well developed in past few years. It exploits packet-switched network to provide call services instead of the traditional circuit-switched telephony. Similar to the Voice over IP (VoIP), VoLTE adopts Session Initiation Protocol (SIP) to achieve some control functions. Therefore, it means attack techniques against the SIP will also be effective against VoLTE devices.In this paper, we propose a novel device-side SIP-aware detecting system against two kinds of SIP attacks, SIP message flooding attack and malformed SIP message attack. To detect the message flooding attack, we set threshold for the traffic of SIP message received from VoLTE interface within one minute. And for the malformed message attack, we provide the structure and formalization rules of SIP messages to detect malformed SIP messages by utilizing ontology descriptions.This paper presents the design and implementation of this detecting system. The simulation test shows that this system will improve the security level of VoLTE service in real applications.

Yuwei Zheng,Lin Huang,Haoqi Shan,Jun Li,Qing Yang,Wenyuan Xu

DOI: https://doi.org/10.1109/CNS.2017.8228629

2017-01-01

Abstract:LTE is a globally deployed standard. CSFB (Circuit Switched Fallback) is one of the major voice solutions in LTE network. We found one vulnerability in CSFB where the authentication step is missing. This allows an attacker to impersonate a victim. We named this attack as `Ghost Telephonist'. The consequence of this attack include: (1) The attacker can impersonate the callee and obtain the content of incoming calls or SMSs. (2) The attacker can impersonate the caller and initiate a call/SMS to others. (3) The attacker can obtain the victim's phone number and then use the phone number to launch further attack, e.g. reseting the victim's Internet account. These exploitations can randomly choose victims, or target a given victim. The victim will not detect the attacks since no fake base station is used and no cell re-selection happens. We implemented our own baseband based on OsmocomBB and verified the vulnerability with our own phones in two operators' network. The experiments validate the vulnerability really exists. We've already reported the vulnerability to the operators and proposed the countermeasures.

Guan-Hua Tu,Chi-Yu Li,Chunyi Peng,Yuanjie Li,Songwu Lu

DOI: https://doi.org/10.1145/2976749.2978393

2016-01-01

Abstract:SMS (Short Messaging Service) is a text messaging service for mobile users to exchange short text messages. It is also widely used to provide SMS-powered services (e.g., mobile banking). With the rapid deployment of all-IP 4G mobile networks, the underlying technology of SMS evolves from the legacy circuit-switched network to the IMS (IP Multimedia Subsystem) system over packet-switched network. In this work, we study the insecurity of the IMS-based SMS. We uncover its security vulnerabilities and exploit them to devise four SMS attacks: silent SMS abuse, SMS spoofing, SMS client DoS, and SMS spamming. We further discover that those SMS threats can propagate towards SMS-powered services, thereby leading to three malicious attacks: social network account hijacking, unauthorized donation, and unauthorized subscription. Our analysis reveals that the problems stem from the loose security regulations among mobile phones, carrier networks, and SMS-powered services. We finally propose remedies to the identified security issues.

Guan-Hua Tu,Yuanjie Li,Chunyi Peng,Chi-Yu Li,Muhammad Taqi Raza,Hsiao-Yun Tseng,Songwu Lu

DOI: https://doi.org/10.48550/arXiv.1510.08531

2015-10-29

Cryptography and Security

Abstract:Mobile Internet is becoming the norm. With more personalized mobile devices in hand, many services choose to offer alternative, usually more convenient, approaches to authenticating and delivering the content between mobile users and service providers. One main option is to use SMS (i.e., short messaging service). Such carrier-grade text service has been widely used to assist versatile mobile services, including social networking, banking, to name a few. Though the text service can be spoofed via certain Internet text service providers which cooperated with carriers, such attacks haven well studied and defended by industry due to the efforts of research community. However, as cellular network technology advances to the latest IP-based 4G LTE, we find that these mobile services are somehow exposed to new threats raised by this change, particularly on 4G LTE Text service (via brand-new distributed Mobile-Initiated Spoofed SMS attack which is not available in legacy 2G/3G systems). The reason is that messaging service over LTE shifts from the circuit-switched (CS) design to the packet-switched (PS) paradigm as 4G LTE supports PS only. Due to this change, 4G LTE Text Service becomes open to access. However, its shields to messaging integrity and user authentication are not in place. As a consequence, such weaknesses can be exploited to launch attacks (e.g., hijack Facebook accounts) against a targeted individual, a large scale of mobile users and even service providers, from mobile devices. Current defenses for Internet-Initiated Spoofed SMS attacks cannot defend the unprecedented attack. Our study shows that 53 of 64 mobile services over 27 industries are vulnerable to at least one threat. We validate these proof-of-concept attacks in one major US carrier which supports more than 100 million users. We finally propose quick fixes and discuss security insights and lessons we have learnt.

Guan-Hua Tu,Min-Yue Chen,Chunyi Peng,Sihan Wang,Jingwen Shi,Chi-Yu Li,Tian Xie,Man-Hsin Chen,Yiwen Hu

DOI: https://doi.org/10.1145/3636534.3649377

2024-05-29

Abstract:IMS (IP Multimedia Subsystem) is vital for delivering IP-based multimedia services in mobile networks. Despite constant upgrades by 3GPP over the past two decades to support heterogeneous radio access networks (e.g., 4G LTE, 5G NR, and Wi-Fi) and enhance IMS security, the focus has primarily been on cellular infrastructure. Consequently, IMS security measures on mobile equipment (ME), such as smartphones, lag behind rapid technological advancements. Our study reveals that mandated IMS security measures on ME fail to keep pace, resulting in new vulnerabilities and attack vectors, including denial of service (DoS) across all networks, named SMS source spoofing, and covert communications over Video-over-IMS attacks. All vulnerabilities and proof-of-concept attacks have been experimentally validated in operational 5G/4G networks across various phone models and network operators. Finally, we propose and prototype standard-compliant remedies for these vulnerabilities.

Computer Science,Engineering

Su, Li,Du, Haitao

DOI: https://doi.org/10.1007/s00500-023-09486-x

IF: 3.732

2024-01-11

Soft Computing

Abstract:The security context, generally stored in the universal subscriber identity module card or the baseband chip, is the critical information applied by the subscriber to access the 5G network during the fast authentication procedure. Once exposed or illegally used, the security context can be exploited to derive various keys for authentication and encryption. Despite its importance, challenges and questions still remain in the previous relevant research. To fill this gap, by adopting the security protocol verification tool ProVerif, we provide a comprehensive formal model of the fast authentication procedure based on the security context to analyze whether security goals can be met. Unfortunately, we uncover two vulnerabilities, including one never reported before. Our analysis shows that these vulnerabilities stem from fundamental design flaws in the cellular network protocol and thus apply to the 4G network. These vulnerabilities could be exploited to launch several attacks, including impersonation and eavesdropping. We have validated these attacks using 5 mobile phones from 5 different baseband manufacturers through experimentation in three mobile carriers. We find an insecure implementation of one of these phones, which exposed it to replay attacks. And we further discuss the security threats posed by the impersonation attack, such as location spoofing and one-tap authentication bypass, which is verified on 10 popular apps. We finally propose several countermeasures to eliminate these security issues. Actually, we have reported the novel vulnerability to the GSM Association and received a confirmation in the form of a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

computer science, artificial intelligence, interdisciplinary applications

Norbert Ludant,Marinos Vomvas,Guevara Noubir

DOI: https://doi.org/10.48550/arXiv.2403.06717

2024-03-11

Abstract:Over the years, several security vulnerabilities in the 3GPP cellular systems have been demonstrated in the literature. Most studies focus on higher layers of the cellular radio stack, such as the RRC and NAS, which are cryptographically protected. However, lower layers of the stack, such as PHY and MAC, are not as thoroughly studied, even though they are neither encrypted nor integrity protected. Furthermore, the latest releases of 5G significantly increased the number of low-layer control messages and procedures. The complexity of the cellular standards and the high degree of cross-layer operations, makes reasoning about security non-trivial, and requires a systematic analysis. We study the control procedures carried by each physical channel, and find that current cellular systems are susceptible to several new passive attacks due to information leakage, and active attacks by injecting MAC and PHY messages. For instance, we find that beamforming information leakage enables fingerprinting-based localization and tracking of users. We identify active attacks that reduce the users' throughput by disabling RF front ends at the UE, disrupt user communications by tricking other connected UEs into acting as jammers, or stealthily disconnect an active user. We evaluate our attacks against COTS UEs in various scenarios and demonstrate their practicality by measuring current operators' configurations across three countries. Our results show that an attacker can, among other things, localize users with an accuracy of 20 meters 96% of the time, track users' moving paths with a probability of 90%, reduce throughput by more than 95% within 2 seconds (by spoofing a 39 bits DCI), and disconnect users.

Cryptography and Security

Marc Lichtman,Jeffrey H. Reed,T. Charles Clancy,Mark Norton

DOI: https://doi.org/10.1109/GlobalSIP.2013.6736871

2014-03-12

Abstract:LTE is well on its way to becoming the primary cellular standard, due to its performance and low cost. Over the next decade we will become dependent on LTE, which is why we must ensure it is secure and available when we need it. Unfortunately, like any wireless technology, disruption through radio jamming is possible. This paper investigates the extent to which LTE is vulnerable to intentional jamming, by analyzing the components of the LTE downlink and uplink signals. The LTE physical layer consists of several physical channels and signals, most of which are vital to the operation of the link. By taking into account the density of these physical channels and signals with respect to the entire frame, as well as the modulation and coding schemes involved, we come up with a series of vulnerability metrics in the form of jammer to signal ratios. The ``weakest links'' of the LTE signals are then identified, and used to establish the overall vulnerability of LTE to hostile interference.

Other Computer Science

Zhiwei Cui,Baojiang Cui,Li Su,Haitao Du,Hongxin Wang,Junsong Fu

2023-03-20

Abstract:The security context used in 5G authentication is generated during the Authentication and Key Agreement (AKA) procedure and stored in both the user equipment (UE) and the network sides for the subsequent fast registration procedure. Given its importance, it is imperative to formally analyze the security mechanism of the security context. The security context in the UE can be stored in the Universal Subscriber Identity Module (USIM) card or in the baseband chip. In this work, we present a comprehensive and formal verification of the fast registration procedure based on the security context under the two scenarios in ProVerif. Our analysis identifies two vulnerabilities, including one that has not been reported before. Specifically, the security context stored in the USIM card can be read illegally, and the validity checking mechanism of the security context in the baseband chip can be bypassed. Moreover, these vulnerabilities also apply to 4G networks. As a consequence, an attacker can exploit these vulnerabilities to register to the network with the victim's identity and then launch other attacks, including one-tap authentication bypass leading to privacy disclosure, location spoofing, etc. To ensure that these attacks are indeed realizable in practice, we have responsibly confirmed them through experimentation in three operators. Our analysis reveals that these vulnerabilities stem from design flaws of the standard and unsafe practices by operators. We finally propose several potential countermeasures to prevent these attacks. We have reported our findings to the GSMA and received a coordinated vulnerability disclosure (CVD) number CVD-2022-0057.

Cryptography and Security

Linhong Guo,Xiaosong Zhang

DOI: https://doi.org/10.1088/1742-6596/1325/1/012108

2019-01-01

Journal of Physics Conference Series

Abstract:VoLTE (voice over LTE) is widely popular and the potential target for covert communications. The transmission of continuous and large amounts of data over VoLTE enables the construction of a covert channel. The existing covert channel construction scheme based on IPD (inter-packet delay) cannot be applied to VoLTE due to the particularity of the IPD of VoLTE traffics. In this paper, we propose a covert channel with intelligent confrontation for VoLTE traffic. It modulates messages in the relative relationship of voice and video packets based on learning of the characteristics of active attack traffic. The experimental results indicate that the proposed covert channel is undetectable and robust.

Neil Redmond,Le-Nam Tran,Kim-Kwang Raymond Choo,Nhien-An Le-Khac

DOI: https://doi.org/10.1007/978-3-030-47131-6_9

2020-01-01

Abstract:Long Term Evolution (“LTE”) or 4G data services are relied upon by many people to process information such as payments, VOIP and applications on their mobile devices. Today this technology is widely used and many people depend upon its security every day for all manner of tasks. GSM traffic, SMS traffic and data traffic are encrypted by the network to prevent third party access. In this paper, we are going to investigate a methodology to overcome the security restrictions of LTE network to extract data from mobile device in real-time. The outcome of this research not only assists the digital investigators to tackle the challenges of extracting relevant artefacts from suspect devices using LTE network but also allows us to evaluate the possibility of extract important data from LTE security network in real-time. We also test our approach with real-world scenarios and services.

Caixia Liu,Xinsheng Ji,Jiangxing Wu,Xiao Qin

DOI: https://doi.org/10.1007/s11432-017-9428-6

2018-01-01

Science China Information Sciences

Abstract:>Dear editor,Several studies have recently reported on major vulnerabilities in the Signaling System No.7 (SS7)used in mobile networks [1, 2]. The reported vulnerabilities and security issues would lead to the illegal acquisition and tampering of mobile communication user data, known as cellphone user data. The cellphone user data contain important information such as identity identification, location identification, security parameter-set. Due to

Mojdeh Karbalaee Motalleb,Chafika Benzaid,Tarik Taleb,Marcos Katz,Vahid Shah-Mansouri,JaeSeung Song

2024-11-13

Abstract:The evolution of wireless communication systems will be fundamentally impacted by an open radio access network (O-RAN), a new concept defining an intelligent architecture with enhanced flexibility, openness, and the ability to slice services more efficiently. For all its promises, and like any technological advancement, O-RAN is not without risks that need to be carefully assessed and properly addressed to accelerate its wide adoption in future mobile networks. In this paper, we present an in-depth security analysis of the O-RAN architecture, discussing the potential threats that may arise in the different O-RAN architecture layers and their impact on the Confidentiality, Integrity, and Availability (CIA) triad. We also promote the potential of zero trust, Moving Target Defense (MTD), blockchain, and large language models(LLM) technologies in fortifying O-RAN's security posture. Furthermore, we numerically demonstrate the effectiveness of MTD in empowering robust deep reinforcement learning methods for dynamic network slice admission control in the O-RAN architecture. Moreover, we examine the effect of explainable AI (XAI) based on LLMs in securing the system.

Cryptography and Security,Machine Learning

Raghunandan M. Rao,Sean Ha,Vuk Marojevic,Jeffrey H. Reed

DOI: https://doi.org/10.48550/arXiv.1708.05887

2017-09-11

Abstract:This paper provides a methodology to study the PHY layer vulnerability of wireless protocols in hostile radio environments. Our approach is based on testing the vulnerabilities of a system by analyzing the individual subsystems. By targeting an individual subsystem or a combination of subsystems at a time, we can infer the weakest part and revise it to improve the overall system performance. We apply our methodology to 4G LTE downlink by considering each control channel as a subsystem. We also develop open-source software enabling research and education using software-defined radios. We present experimental results with open-source LTE systems and shows how the different subsystems behave under targeted interference. The analysis for the LTE downlink shows that the synchronization signals (PSS/SSS) are very resilient to interference, whereas the downlink pilots or Cell-Specific Reference signals (CRS) are the most susceptible to a synchronized protocol-aware interferer. We also analyze the severity of control channel attacks for different LTE configurations. Our methodology and tools allow rapid evaluation of the PHY layer reliability in harsh signaling environments, which is an asset to improve current standards and develop new robust wireless protocols.

Networking and Internet Architecture