Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Wi-Fi calls may not be as secure as you think.
Researchers from CISPA, SBA Research and the University of Vienna have discovered two vulnerabilities in the mobile Voice over WiFi (VoWiFi) protocol that threaten the security of communications of millions of mobile phone users around the world. At the moment, the shortcomings have been eliminated, but the scientists told about their discovery.
Modern smartphones can establish phone connections not only through mobile networks, but also through Wi-Fi (WLAN calls), providing communication even in places with a poor signal. Since 2016, almost all major mobile operators offer Wi-Fi calls that are pre-installed on all new smartphones.
Phone calls from a phone (UE) to a telephone exchange (IMS) : Comparing a VoLTE connection with VoWiFi
The vulnerabilities affected the services of 13 of the 275 mobile operators studied, including operators from Austria, Slovakia, Brazil and Russia, which compromised the security of communications of about 140 million customers.
The error is related to an important network component in the LTE and 5G network architecture – the Evolved Packet Data Gateway (ePDG). For Wi-Fi calls, the smartphone must register with the operator's main network. To ensure that this happens safely, IPsec tunnels are installed between the device and the ePDG.
IPsec tunnels are built in several stages. Communication security is mainly ensured by exchanging cryptographic keys over the Internet Key Exchange (IKE) protocol. The keys must be private and random, but the operators did not meet these conditions.
13 operators used the same global set of 10 static private keys instead of random ones. An attacker with these keys could easily eavesdrop on communication between smartphones and carriers. Any of the affected operators, the manufacturer, and possibly the security services of each of the countries have access to the keys. Networks of the Chinese provider ZTE were also under threat.
The researchers also found that many new chips (including 5G) Taiwanese manufacturer MediaTek, used in some Android smartphones from Xiaomi, Oppo, Realme and Vivo, have a different vulnerability.
The chip works with a SIM card to register users on the mobile network using VoWiFi. Scientists have found that the level of encryption on the smartphone side can be reduced to the weakest by using targeted attacks. An analysis of configurations from other manufacturers, such as Google, Apple, Samsung and Xiaomi, showed that up to 80% of cases used outdated cryptographic methods.
The researchers can't confirm how many users around the world were actually affected by the attacks or were overheard. The scientists reported the problem to the GSMA system and the relevant providers, giving them the opportunity to develop updates. Updates have already been installed. Only after responsible disclosure do experts publish their work at the USENIX Security Symposium 2024, making their results available to other researchers.
Vulnerabilities:
Source
Researchers from CISPA, SBA Research and the University of Vienna have discovered two vulnerabilities in the mobile Voice over WiFi (VoWiFi) protocol that threaten the security of communications of millions of mobile phone users around the world. At the moment, the shortcomings have been eliminated, but the scientists told about their discovery.
Modern smartphones can establish phone connections not only through mobile networks, but also through Wi-Fi (WLAN calls), providing communication even in places with a poor signal. Since 2016, almost all major mobile operators offer Wi-Fi calls that are pre-installed on all new smartphones.
Phone calls from a phone (UE) to a telephone exchange (IMS) : Comparing a VoLTE connection with VoWiFi
The vulnerabilities affected the services of 13 of the 275 mobile operators studied, including operators from Austria, Slovakia, Brazil and Russia, which compromised the security of communications of about 140 million customers.
The error is related to an important network component in the LTE and 5G network architecture – the Evolved Packet Data Gateway (ePDG). For Wi-Fi calls, the smartphone must register with the operator's main network. To ensure that this happens safely, IPsec tunnels are installed between the device and the ePDG.
IPsec tunnels are built in several stages. Communication security is mainly ensured by exchanging cryptographic keys over the Internet Key Exchange (IKE) protocol. The keys must be private and random, but the operators did not meet these conditions.
13 operators used the same global set of 10 static private keys instead of random ones. An attacker with these keys could easily eavesdrop on communication between smartphones and carriers. Any of the affected operators, the manufacturer, and possibly the security services of each of the countries have access to the keys. Networks of the Chinese provider ZTE were also under threat.
The researchers also found that many new chips (including 5G) Taiwanese manufacturer MediaTek, used in some Android smartphones from Xiaomi, Oppo, Realme and Vivo, have a different vulnerability.
The chip works with a SIM card to register users on the mobile network using VoWiFi. Scientists have found that the level of encryption on the smartphone side can be reduced to the weakest by using targeted attacks. An analysis of configurations from other manufacturers, such as Google, Apple, Samsung and Xiaomi, showed that up to 80% of cases used outdated cryptographic methods.
The researchers can't confirm how many users around the world were actually affected by the attacks or were overheard. The scientists reported the problem to the GSMA system and the relevant providers, giving them the opportunity to develop updates. Updates have already been installed. Only after responsible disclosure do experts publish their work at the USENIX Security Symposium 2024, making their results available to other researchers.
Vulnerabilities:
- CVD-2024-0089 – GSMA Mobile Security Research Acknowledgements;
- CVE-2024-20069 (CVSS score: 6.5) - Choosing a less secure algorithm during negotiation (algorithm downgrade) MediaTek June 2024 Product Security Bulletin;
- CVE-2024-22064 (CVSS score: 8.3) - configuration error in ZTE ZXUN-ePDG.
Source
