{"id":10463,"date":"2015-11-04T09:46:52","date_gmt":"2015-11-04T14:46:52","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10463"},"modified":"2017-09-24T08:12:47","modified_gmt":"2017-09-24T12:12:47","slug":"volte-insecurity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/volte-insecurity\/10463\/","title":{"rendered":"Voice as a threat: VoLTE, a new tool to compromise mobile networks"},"content":{"rendered":"<p>While communication technology providers are seeking consensus over the future of 5G networks, carriers are wasting no time in rolling out new technologies available for the current 4G networks. Voice over LTE or simply VoLTE is one of these technologies. VoLTE allows transmitting voice calls over data layers.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023756\/volte-insecurity-FB.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10465 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/11\/06023756\/volte-insecurity-FB.jpg\" alt=\"Something's wrong with VoLTE\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>What exactly does that mean? Well, let us explain some technical details. Today\u2019s cellular networks employ three \u2018planes\u2019: data, voice and control. We typically use the data plane for mobile Internet, and the voice plane for voice calls. The third plane, to put it simply, is used to manage everything what happens on the other two planes.<\/p>\n<p>Traditional cellular networks handle voice calls through dedicated circuits. However, the 4G technology allows for the prioritization and transmission of voice traffic as packets with higher priority via the data plane. That is essentially VoLTE. The control plane packets have the highest priority. In essence, VoLTE is a sort of IP telephony (VoIP) adapted for use over cellular networks.<\/p>\n<p>VoLTE brings a handful of benefits. First, ubiquitous VoLTE deployment will render existing 2G\/3G infrastructures impractical and thus not necessary to support, since VoLTE won\u2019t require a separate infrastructure to handle voice calls. Secondly, VoLTE offers higher bandwidth compared to 3G in boosting the voice quality.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">4G is just beginning to become the norm, so why do we need 5G? \u2013 <a href=\"http:\/\/t.co\/vP3wDv1X8s\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/vP3wDv1X8s<\/a> <a href=\"http:\/\/t.co\/t9ZR5neEcN\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/t9ZR5neEcN<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/617015539848843264?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 3, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The third benefit is that VoLTE can be used for video conferencing. Last but not least, <a href=\"http:\/\/www.fiercewireless.com\/europe\/story\/vodafone-germany-claims-volte-first-showcases-5g\/2015-03-16\" target=\"_blank\" rel=\"noopener nofollow\">mobile carriers claim<\/a> VoLTE offers better call privacy and faster connection. All in all, it looks like VoLTE has a number of critical benefits with no particular drawbacks. At least upon first impression.<\/p>\n<p>As it usually happens, every breakthrough technology has its growing pains. Researchers from the University of California, in joint effort with their colleagues of Shanghai Jiao Tong University and the Ohio State University, <a href=\"http:\/\/web.cs.ucla.edu\/~ghtu\/ccs15.pdf\" target=\"_blank\" rel=\"noopener nofollow\">demonstrated practical attacks on VoLTE<\/a> in two US Tier-1 carriers\u2019 networks.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Researchers discover new attacks amid VoLTE rollout <a href=\"https:\/\/t.co\/WDoE6Aitai\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/WDoE6Aitai<\/a> <a href=\"https:\/\/t.co\/WU3tm7tptO\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/WU3tm7tptO<\/a><\/p>\n<p>\u2014 The Verge (@verge) <a href=\"https:\/\/twitter.com\/verge\/status\/657228572239728640?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 22, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The researchers managed to demonstrate how a criminal can drop all of the victim\u2019s calls, or to increase the amount of charges on the victim\u2019s cellular bill, or vice versa to gain free mobile data access. The interesting thing is that criminals don\u2019t need to hack networks to achieve their goals, or use expensive equipment to carry out the attacks. All they need is an unrooted or <a href=\"https:\/\/en.wikipedia.org\/wiki\/rooting_(android_os)\" target=\"_blank\" rel=\"noopener nofollow\">rooted smartphone<\/a>.<\/p>\n<p>The researchers\u2019 key finding is that one can fool VoLTE and send ordinary data packets masqueraded as \u2018the high priority\u2019 signal or voice packets<\/p>\n<p>This means that a potential attacker can have carte blanche. Signal packets are not charged for, so once you use this \u2018wrapper\u2019 for ordinary data packets, you can be freed from a responsibility of paying for your data plan. To offer a proof of concept, the researcher had a 10-minute Skype call and the carrier never registered their consumption of data traffic.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">LTE-U: on the way to 5G <a href=\"https:\/\/t.co\/02VVd4Sla9\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/02VVd4Sla9<\/a> <a href=\"http:\/\/t.co\/2lYJmLtF6a\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/2lYJmLtF6a<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/624571968596144128?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 24, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The signal (control) plane has the highest priority, which opens a pool of opportunities to culprits. If you jam up this layer with data packets masqueraded as signal packets, the signal packets won\u2019t have enough bandwidth available. This method could be a means of cutting network access to someone or to launch a targeted attack and arrange network downtime by jamming it with faux signal packets.<\/p>\n<p>Finally, attackers can use the same method to flood the victim with data packets which, provided the victim does not employ an unlimited data plan, might mean a lot of extra charges the target would need to pay to the carrier. Moreover, such attacks are not detected by firewalls, which are there to filter malicious traffic. In such an attack, a legitimate mobile traffic is used, which makes firewalls unable to detect an attack.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Hackers\u2019 favorite new tool: supermalware \u2018<a href=\"https:\/\/twitter.com\/hashtag\/Regin?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Regin<\/a>\u2019 <a href=\"http:\/\/t.co\/lf58E86nAz\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/lf58E86nAz<\/a> via <a href=\"https:\/\/twitter.com\/ThirdCertainty?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@ThirdCertainty<\/a> <a href=\"http:\/\/t.co\/6NrJg6nnni\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/6NrJg6nnni<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/540544867798364160?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">December 4, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>All of the above concerned the ability to transfer data packets via the signal (control) plane, but the same approach could work on the voice plane as well. For example, the researchers managed to subdue a voice call over VoLTE: a victim would accept the call but couldn\u2019t hear anything, as voice packets were lost in the flood of faux signal packets.<\/p>\n<p>The researchers offer a handful of solutions to at least partially solve the issues; both carriers whose networks were probed during the research have already deployed some of them.<\/p>\n<p><strong><blockquote class=\"twitter-pullquote\"><p>How #hackers can exploit #VoLTE technology vulnerability to compromise #4G networks. #mobile #security<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FX7zq&amp;text=How+%23hackers+can+exploit+%23VoLTE+technology+vulnerability+to+compromise+%234G+networks.+%23mobile+%23security\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote><\/strong><\/p>\n<p>Countries like <a href=\"http:\/\/www.fiercewireless.com\/europe\/story\/vodafone-germany-claims-volte-first-showcases-5g\/2015-03-16\" target=\"_blank\" rel=\"noopener nofollow\">Germany<\/a> or Russia have just started to roll out VoLTE services \u2013 so it may well be the case that all the carriers won\u2019t be that fast patching the vulnerabilities.<\/p>\n<p>Unfortunately, some of the vulnerabilities cannot be patched without making changes in VoLTE as a standard. Of course, carriers would be more vigilant of what happens in their networks and make sure to cut off the transmission of the signal traffic between any devices, except for legitimate connections between a phone and a signal server, but it is never enough.<\/p>\n<p>To fix all VoLTE issues, there is a need for a joint effort of OEMs, chipset vendors, carriers and standardization bodies.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">\"When we have technology that threatens <a href=\"https:\/\/twitter.com\/hashtag\/mobile?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#mobile<\/a> carriers business, they deal w\/it by blocking access to their phones\" <a href=\"https:\/\/twitter.com\/csoghoian?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@csoghoian<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/SAS2013?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#SAS2013<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/298448215706062849?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">February 4, 2013<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>That\u2019s the reason why the researchers try to widely publicize this problem: the more widely acknowledged the problem would become, the faster the solutions would be found.<\/p>\n<p>Users, on their end, should treat their mobile security more seriously: in order to carry out the described attacks, adversaries would have to install a malicious app on smartphones. Such mobile malware is very likely to be detected by a <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.kms.free&amp;referrer=af_tranid%253D3TH2JHYE6EQG5RK8%2526c%253Dkd-ru%2526pid%253Dsmm\" target=\"_blank\" rel=\"noopener nofollow\">good security software<\/a>.<\/p>\n<p>And, finally, the absolute majority of popular devices and 4G active networks don\u2019t support VoLTE at all so far. Let us hope that, by the time VoLTE becomes a ubiquitous service, all security issues will be solved.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Criminals can use VoLTE to cause connection failure, subdue voice calls, or strip the victim&#8217;s mobile account of money. <\/p>\n","protected":false},"author":675,"featured_media":10464,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1789,2683],"tags":[191,1134,423,97,422,1307,1308,268],"class_list":{"0":"post-10463","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-technology","9":"category-threats","10":"tag-data","11":"tag-internet","12":"tag-mobile-devices","13":"tag-security-2","14":"tag-threats","15":"tag-voice","16":"tag-volte-networks","17":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/volte-insecurity\/10463\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/volte-insecurity\/6233\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/volte-insecurity\/6432\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/volte-insecurity\/6349\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/volte-insecurity\/7192\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/volte-insecurity\/6865\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/volte-insecurity\/9660\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/volte-insecurity\/6384\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/volte-insecurity\/9457\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/volte-insecurity\/9660\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/volte-insecurity\/10463\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/volte-insecurity\/10463\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/data\/","name":"data"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10463","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10463"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10463\/revisions"}],"predecessor-version":[{"id":18853,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10463\/revisions\/18853"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10464"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}