TY - JOUR
T1 - The Untold Secrets of WiFi-Calling Services
T2 - Vulnerabilities, Attacks, and Countermeasures
AU - Xie, Tian
AU - Tu, Guan Hua
AU - Yin, Bangjie
AU - Li, Chi-Yu
AU - Peng, Chunyi
AU - Zhang, Mi
AU - Liu, Hui
AU - Liu, Xiaoming
N1 - Publisher Copyright:
© 2002-2012 IEEE.
PY - 2021/11/1
Y1 - 2021/11/1
N2 - Since 2016, all of four major U.S. operators have rolled out Wi-Fi calling services. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrusted Wi-Fi networks and the Internet. This exposure to insecure networks can cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA, IPSec, etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first security study on the operational Wi-Fi calling services in three major U.S. operators networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover three vulnerabilities. By exploiting the vulnerabilities, we devise two proof-of-concept attacks: telephony harassment or denial of voice service and user privacy leakage; both of them can bypass the existing security defenses. We have confirmed their feasibility using real-world experiments, as well as assessed their potential damages and proposed a solution to address all identified vulnerabilities.
AB - Since 2016, all of four major U.S. operators have rolled out Wi-Fi calling services. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrusted Wi-Fi networks and the Internet. This exposure to insecure networks can cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA, IPSec, etc. However, are they sufficient to secure Wi-Fi calling services? Unfortunately, our study yields a negative answer. We conduct the first security study on the operational Wi-Fi calling services in three major U.S. operators networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof and uncover three vulnerabilities. By exploiting the vulnerabilities, we devise two proof-of-concept attacks: telephony harassment or denial of voice service and user privacy leakage; both of them can bypass the existing security defenses. We have confirmed their feasibility using real-world experiments, as well as assessed their potential damages and proposed a solution to address all identified vulnerabilities.
KW - Wi-Fi calling
KW - and cellular network
KW - computer vision recognition
KW - security and privacy
UR - http://www.scopus.com/inward/record.url?scp=85118282636&partnerID=8YFLogxK
U2 - 10.1109/TMC.2020.2995509
DO - 10.1109/TMC.2020.2995509
M3 - Article
AN - SCOPUS:85118282636
SN - 1536-1233
VL - 20
SP - 3131
EP - 3147
JO - IEEE Transactions on Mobile Computing
JF - IEEE Transactions on Mobile Computing
IS - 11
M1 - 9095374
ER -