Ghost Calls from Operational 4G Call Systems: IMS Vulnerability, Call Dos Aack, and Countermeasure
Total Page:16
File Type:pdf, Size:1020Kb
Ghost Calls from Operational 4G Call Systems: IMS Vulnerability, Call DoS Aack, and Countermeasure Yu-Han Lu, Chi-Yu Li, Yao-Yu Tian Xie, Guan-Hua Tu Wei-Xun Chen Li, Sandy Hsin-Yu Hsiao Department of Computer Science Department of Computer Science Department of Computer Science and Engineering College of Computer Science College of Computer Science Michigan State University National Chiao Tung University National Chiao Tung University East Lansing, Michigan, USA Hsinchu, Taiwan Hsinchu, Taiwan ABSTRACT 90 percent of combined 4G and 5G subscriptions. Undoubtedly, the IMS (IP Multimedia Subsystem) is an essential framework for pro- IMS system will play a decisive role for future call services. viding 4G/5G multimedia services. It has been deployed worldwide VoWi-Fi extends the reach of the IMS call service, yet with a to support two call services: VoLTE (Voice over LTE) and VoWi-Fi larger attack surface than conventional voice solutions. Its software- (Voice over Wi-Fi). VoWi-Fi enables telephony calls over the Wi-Fi based framework is barely hardened by existing hardware-based network to complement VoLTE. In this work, we uncover that the security from the telecom modem. It may suer, when an adversary VoWi-Fi signaling session can be hijacked to maliciously manipu- gets full control over the phone OS (e.g., root access). As VoWi-Fi late the IMS call operation. An adversary can easily make ghost still follows the same security principle as VoLTE, we are interested calls to launch a stealthy call DoS (Denial of Service) attack against in whether VoWi-Fi may imperil the IMS ecosystem. Once it can specic cellular users. Only phone numbers, but not any malware be breached, the IMS may be exposed to security threats. or network information, are required from the victims. This so- In this work, we rst discover a vulnerability of VoWi-Fi, no phisticated attack harnesses a design defect of the IMS call state app-level data-origin authentication; threateningly, it allows the machine, but not simply ooding or a crash trigger. To stealthily adversary to arbitrarily manipulate the IMS call operation. Such detect attackable phones at run time, we exploit a vulnerability of vulnerability lies in the fact that the standard design treats the the 4G network infrastructure, call information leakage, which we device as one entity of security associations in the Internet protocol explore using machine learning. We validate these vulnerabilities security (IPSec) protection over IMS services. Its security principle in operational 4G networks of 4 top-tier carriers across Asia and is to keep security parameters inside the phone, but not the IMS North America countries with 7 phone brands. Our result shows app that runs VoWi-Fi. Once the phone is compromised, they can be that the call DoS attack can prevent the victims from receiving easily leaked. This vulnerability leads us to disclose that hijacking incoming calls up to 99.0% time without user awareness. We nally the VoWi-Fi signaling session is possible, and it allows the adversary propose and evaluate recommended solutions. to interact with the IMS system on a per-message basis. We further identify two IMS vulnerabilities based on the hijack- CCS CONCEPTS ing: no prohibition of concurrent call attempts and abusing reliability of provisional responses. They root in an operational aw from carri- • Networks → Mobile and wireless security; Application layer ers and a design defect of the standard, respectively. By exploiting protocols; • Security and privacy → Denial-of-service attacks. them, the adversary can make ghosts calls to launch a stealthy call DoS (Denial of Service) attack against specic cellular users. Only 1 INTRODUCTION phone numbers, but not any malware or network information, are IMS (IP Multimedia Subsystem) is the designated core system required from the victims. We conduct experimental validation in for call services in the 4G/5G era. It has oered two call services: operational 4G networks of 4 top-tier carriers across Asia and North VoLTE (Voice over LTE) and VoWi-Fi (Voice over Wi-Fi). VoLTE is America countries with 7 phone brands. Note that we take a respon- an essential voice solution for the 4G LTE network, to supersede sible manner that prevents carriers and cellular users from being the legacy 2G/3G call services. VoWi-Fi complements VoLTE for the hurt in all the tests. We neither try to overwhelm the IMS system areas with poor cellular signals by enabling telephony calls over the by ooding data trac, nor attempt to crash it using malformed Wi-Fi network. An Ericsson report [17] shows that the number of signaling messages. We always use our own phones as the victims. their subscriptions is projected to reach 6 billion in 2024 for around However, this attack works for only VoLTE and VoWi-Fi users in the same carrier network as the adversary. Given a target phone Permission to make digital or hard copies of all or part of this work for personal or number, the phone may have only the 3G call service, temporarily classroom use is granted without fee provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and the full citation handover from 4G to 3G, or belong to another dierent carrier. In on the rst page. Copyrights for components of this work owned by others than ACM these states, the phone may play ringtone under the attack, thereby must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, making its user aware. We thus introduce a stealthy detection to post on servers or to redistribute to lists, requires prior specic permission and/or a fee. Request permissions from [email protected]. method that can remotely detect attackable phones at run time. MobiCom ’20, September 21–25, 2020, London, United Kingdom We leverage machine learning (ML) to explore signaling message © 2020 Association for Computing Machinery. features available for the runtime detection and then integrate ACM ISBN 978-1-4503-7085-1/20/09...$15.00 https://doi.org/10.1145/3372224.3380885 the feature-based detection into the attack. Our attack evaluation shows that the victims can suer from call DoS up to 99.0% time 4G LTE Core Network under the attack without awareness. We nally propose a suite of Mobility recommended solutions and conrm their eectiveness based on a S-GW Management Entity prototype. This paper makes four contributions as follows. LTE Base Authentication Station P-GW Server UE We identify three vulnerabilities from VoWi-Fi and the IMS Internet ePDG IMS Core • system. They can be exploited to hijack the VoWi-Fi signaling Wi-Fi AP session and maliciously manipulate the IMS call operation. Figure 1: 4G LTE network architecture with VoWi-Fi. We validate them experimentally and analyze root causes. We devise a stealthy call DoS attack by exploiting the vul- • nerabilities. It is further advanced to an adaptive multi-layer 2.2 Exposure of IMS Potential Vulnerabilities DoS attack that maximizes call DoS durations. VoWi-Fi has a larger attack surface than conventional cellular We apply ML into exploring a vulnerability of the 4G network • voice solutions. It keeps service operation and security functions infrastructure, call information leakage, which enables remote in the software including the IMS app and mobile OS, but the detection of a phone’s call technology and state. It can assist conventional ones hide full (e.g., CS-based) or part of them (e.g., in stealthily detecting attackable phones at run time. VoLTE [31, 33]) within the hardware modem. Its software frame- We validate the vulnerabilities and assess attack impact in • work may create more exploitable vulnerabilities. Specically, the operational 4G networks. We conrm them as general threats adversary can easily learn service operation from collected packet by covering 4 top-tier carriers across Asia and North America traces [54], and may steal security parameters from the software or countries with 7 phone brands in our experiments. the delivery path from the SIM card to the IMS app (e.g., extracting The rest of the paper is organized as follows. Section 2 presents security keys with a snier, SIMTrace [18]). Such vulnerabilities the attack surface and model. In Section 3, we disclose vulnerabili- may allow the adversary to directly interact with the IMS core. ties of VoWi-Fi and IMS call technologies. We propose a stealthy call It is threatening that VoWi-Fi may cause the IMS potential vul- DoS attack and advance it with ML in Sections 4 and 5, respectively. nerabilities, which were hidden by conventional IMS-based services, We present solution, discussion, and related work in Sections 6, 7, to be exposed. Once the adversary can gain ne-grained interaction and 8, respectively. Section 9 concludes the paper. with the IMS on the exchange of signaling messages, any design defects of its call ow procedure or state machine may be exploited to launch attacks. Such exploitation is not possible by abusing con- 2 VOWI-FI: NEW ATTACK SURFACE ventional telephony APIs, which support only coarse-grained call 2.1 VoWi-Fi Primer operation. We look into this security threat using VoWi-Fi and seek to answer the following three questions. VoWi-Fi is a cellular voice service that enables cellular calls over Can the hijacking of the VoWi-Fi signaling session be com- Wi-Fi networks. Its service ow diers from conventional cellular • pletely prevented by its mandatory IPSec integrity protection voice solutions, VoLTE and circuit-switched (CS) call services. Fig- and the IPSec tunnel of its non-3GPP access? ure 1 shows the 4G LTE network architecture with VoWi-Fi support. Does the IMS restrict the IMS app to normal call operation? If The UE (User Equipment) consumes the VoWi-Fi service by con- • not, the adversary may be allowed to make any call attempts necting to the core network through the Wi-Fi AP and the Internet, arbitrarily or ghost calls by manipulating the delivery of SIP but has the conventional ones through the LTE base station.