VoLTE Phreaking by Ralph Moonen (slides available!)
On May 9th, 2019, Ralph Moonen, Technical Director at Secura, presented on VoLTE Phreaking at HITB HAXPO. HITB HAXPO is a once-in-5-year showcase of all things hacker, maker, builder and breaker! Organized by the same folks who run the HITB Security Conference, HITB HAXPO is where the latest technology is showcased, the best hackers are gathered and where art of the hack is celebrated!
Security of 4G voice communication
Voice over 4G, or VoLTE, brings back the phreaking 80’s. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers’ 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as text message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack.
During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, we will release a tool for Android so that you can monitor VoLTE traffic yourself on your rooted Android phone. Observe headers and information leaks in real-time when making phone calls.
Click here to find the slides of Ralph's talk at HAXPO. If you have any questions, please do not hesitate to contact us.
Ralph Moonen is Technical Director at Secura. Ralph is an old-school ethical hacker with 3 decades of experience as penetration tester, IT-auditor and security consultant. Now, as Technical Director, he is responsible for topics such as R&D and technical projects at Secura. He started out phreaking in the 80’s and telephony is still a passion of his.