TY - GEN
T1 - Ghost calls from operational 4G call systems
T2 - 26th Annual International Conference on Mobile Computing and Networking, MobiCom 2020
AU - Lu, Yu Han
AU - Li, Chi-Yu
AU - Li, Yao Yu
AU - Hsiao, Sandy Hsin Yu
AU - Xie, Tian
AU - Tu, Guan Hua
AU - Chen, Wei Xun
PY - 2020/4/16
Y1 - 2020/4/16
N2 - IMS (IP Multimedia Subsystem) is an essential framework for providing 4G/5G multimedia services. It has been deployed worldwide to support two call services: VoLTE (Voice over LTE) and VoWi-Fi (Voice over Wi-Fi). VoWi-Fi enables telephony calls over the Wi-Fi network to complement VoLTE. In this work, we uncover that the VoWi-Fi signaling session can be hijacked to maliciously manipulate the IMS call operation. An adversary can easily make ghost calls to launch a stealthy call DoS (Denial of Service) attack against specific cellular users. Only phone numbers, but not any malware or network information, are required from the victims. This sophisticated attack harnesses a design defect of the IMS call state machine, but not simply flooding or a crash trigger. To stealthily detect attackable phones at run time, we exploit a vulnerability of the 4G network infrastructure, call information leakage, which we explore using machine learning. We validate these vulnerabilities in operational 4G networks of 4 top-tier carriers across Asia and North America countries with 7 phone brands. Our result shows that the call DoS attack can prevent the victims from receiving incoming calls up to 99.0% time without user awareness. We finally propose and evaluate recommended solutions.
AB - IMS (IP Multimedia Subsystem) is an essential framework for providing 4G/5G multimedia services. It has been deployed worldwide to support two call services: VoLTE (Voice over LTE) and VoWi-Fi (Voice over Wi-Fi). VoWi-Fi enables telephony calls over the Wi-Fi network to complement VoLTE. In this work, we uncover that the VoWi-Fi signaling session can be hijacked to maliciously manipulate the IMS call operation. An adversary can easily make ghost calls to launch a stealthy call DoS (Denial of Service) attack against specific cellular users. Only phone numbers, but not any malware or network information, are required from the victims. This sophisticated attack harnesses a design defect of the IMS call state machine, but not simply flooding or a crash trigger. To stealthily detect attackable phones at run time, we exploit a vulnerability of the 4G network infrastructure, call information leakage, which we explore using machine learning. We validate these vulnerabilities in operational 4G networks of 4 top-tier carriers across Asia and North America countries with 7 phone brands. Our result shows that the call DoS attack can prevent the victims from receiving incoming calls up to 99.0% time without user awareness. We finally propose and evaluate recommended solutions.
KW - Application layer protocols
KW - Denial-of-service attacks
KW - Mobile and wireless security
KW - Networks
KW - Security and privacy
UR - http://www.scopus.com/inward/record.url?scp=85086140099&partnerID=8YFLogxK
U2 - 10.1145/3372224.3380885
DO - 10.1145/3372224.3380885
M3 - Conference contribution
AN - SCOPUS:85086140099
T3 - Proceedings of the Annual International Conference on Mobile Computing and Networking, MOBICOM
SP - 96
EP - 109
BT - Proceedings of the 26th Annual International Conference on Mobile Computing and Networking, MobiCom 2020
PB - Association for Computing Machinery
Y2 - 21 September 2020 through 25 September 2020
ER -