HAXPO: VoLTE Phreaking

This talk will be LIVE STREAMED on YouTube: http://youtube.com/hitbsecconf


Voice over 4G, or VoLTE, brings back the phreaking 80’s. Once again, after 3 decades, the signaling path of telephony is accessible to end users. No more R1, R2, C4 or C5 however: we now have SIP. As it turns out, the implementations of SIP and VoLTE in various European providers’ 4G infrastructures, open up a host of possibilities. During our research over the past few years we have identified vulnerabilities in implementations such as text message spoofing, subscriber enumeration, location determination (leakage of cell-ID and LAC), IMEI leakage and a potential SIM-card sharing attack.

During this talk we will begin with a little historic stroll of phone phreaking through notable events and discoveries over the years. Bridging the narrative over the last few decades, new technologies such as VoIP, Volte, and VoWiFi are introduced, explaining the 4G and VoLTE infrastructure components and protocols. Next, on a rooted Android phone, we will show what control the user has over the VoLTE stack using some standard tools and the IPv6 stack. This includes hidden activities in Android and extraction of IPsec keys from the VoLTE stack. We will show that it is possible to import keys to Wireshark and monitor the IPv6 SIP traffic and components. Finally, we will release a tool for Android so that you can monitor VoLTE traffic yourself on your rooted Android phone. Observe headers and information leaks in real-time when making phone calls.

Location: Track 4 / HAXPO Date: May 9, 2019 Time: 3:30 pm - 4:00 pm Ralph Moonen