Alert: VoLTE services are growing and so are the security flaws

Written by on June 20, 2017 in Opinion with 0 Comments

By Viktor88 / Shutterstock.com

ITEM: Researchers for a French security company have published a research paper detailing security flaws in VoLTE that they say could allow hackers to spoof phone numbers and track callers.

According to Bleeping Computer, the flaws described in the paper can be exploited by an attacker using an Android smartphone:

Researchers say they identified both “active” vulnerabilities (that require modifying special SIP packets) and “passive” vulnerabilities (that expose data via passive network monitoring or do not require any SIP packet modification).

Examples of the security flaws listed in the paper include:

  • Modifying SIP INVITE messages to acquire a list of all users on a mobile network
  • Establising free (as in unmonitored and unbillable) data channels using SIP and SDP (Session Description Protocol) messages
  • Modifying certain headers in SIP INVITE messages to place calls using another user’s phone number
  • Fingerprinting network equipment of a target operator just by listening to VoLTE telephony traffic reaching an Android smartphone
  • Leaking a person’s IMEI and personal information such as location.

The good news is that these flaws aren’t particularly fatal as long as operators take them seriously and take action to fix them. The researchers offer actions that operators can take to close those security gaps.

Meanwhile, a spokesperson from Ericsson told Disruptive.Asia by email that both the 3GPP and the GSMA have developed security recommendations for VoLTE, and that the security exploits listed above can be avoided “if standardized security features are switched on and security recommendations are followed by operators and device vendors.”

NOTE: According to the GSMA, 110 cellcos have launched VoLTE and ViLTE services in 58 countries, as of June 15 [PDF].

The research paper, “Subscribers remote geolocation and tracking using 4G VoLTE enabled Android phone,” can be downloaded here [PDF].

This article was first published on our sister publication Disruptive.Asia.

Tags: , , ,

About the Author

About the Author: John is editor of Disruptive.Asia and was previously managing editor at Telecom Asia. He has been covering the Asia-Pacific telecoms industry since 1996. He has two degrees in telecommunications and has worked for six years in the US radio industry in various technical and advisory capacities, covering radio and satellite equipment maintenance, studio networking, news writing and production, the latter of which earned him several regional and national awards. .

Subscribe

If you enjoyed this article, subscribe now to receive more just like it.

Subscribe via RSS Feed

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Top