back to article Little FYI: Wi-Fi calling services on AT&T, T-Mobile US, Verizon are insecure, say boffins

Boffins from Michigan State University in the US and National Chiao Tung University in Taiwan have found that the Wi-Fi calling services offered by AT&T, T-Mobile US, and Verizon suffer from four security flaws that can be exploited to attack mobile phone users, leaking private information, harassing them, or interfering with …

  1. tfb Silver badge

    Is this just for the specified networks?

    Or is it all Wi-Fi calling? My guess is that it's the latter, but they only tried those networks. That would mean that the networks offering Wi-Fi calling in the UK are also vulnerable. OTOH the attacks looked a bit generic: if you can spoof ARP on a Wi-Fi network then I don't think intercepting Wi-Fi calls is the only thing you can do, by a long way.

  2. NoneSuch
    Thumb Down

    Been that way for years

    I used to work for an electronics company and listening in on a cell call is trivial.

  3. Anonymous Coward
    Anonymous Coward

    Re: Been that way for years

    > listening in on a cell call is trivial

    And quite illegal. Doesn't stop reporters or Democrats though, here in the US of A.

  4. Anonymous Coward Silver badge
    Megaphone

    Re: Been that way for years

    Even easier than you think.

    Just sit in the 'quiet carriage' of a train and you're basically guaranteed to hear at least one side of a mobile phone conversation; often both sides because people don't understand that a device against your ear doesn't need full volume.

  5. FrogsAndChips Bronze badge

    Re: Been that way for years

    They need full volume because these days they hold the mic to their ears...

    https://www.theregister.co.uk/2018/07/13/no_seriously_why_are_you_holding_your_phone_like_that/

  6. bombastic bob Silver badge
    Devil

    Re: Been that way for years

    on a train, the guy next to you might be doing an MITM attack by setting up a wifi gateway...

    Years ago, as a joke, while riding on a train, I set up a wifi AP on my laptop, running FreeBSD, to see how many people's computers would attempt to connect. A few hits, but enough as proof of concept. no internet was accessible, though, just the AP running. didn't even do DHCP. wasn't trying to crack systems, just see what would happen. Now, if I were REALLY trying to crack things, I'd have some spoofed intarweb stuff on there, or maybe MITM gateway to the *real* intarwebs, and some ssh-sniffing stuff to go with it... because knowing it CAN be done proves why you should be concerned!

    Also worthy pointing out is the number of "promiscuous" computers out there that latched onto any AP they could find... and cell phones capable of acting like intarweb gateways.

    VPN looks pretty good at this point (as was proposed as a solution in the article) as long as you're careful about verifying any server-side keys/certs to make sure you're talking to the right one.

  7. Anonymous Coward
    Anonymous Coward

    Oh boy...

    The first flaw identified involves the 3GPP Wi-Fi network selection mechanism, which does not exclude insecure Wi-Fi networks when choosing a network for connection.

    Nor should it. Anyone connecting to an open SSID should certainly understand that they are wide open to attack.

    The second is that devices making Wi-Fi calls lack defenses against ARP (Address Resolution Protocol) spoofing/poisoning attacks, which the researchers say is often a precursor to a man-in-the-middle attack.

    The typical defenses against ARP spoofing and poisoning should never be introduced at the client/workstation level. Expecting an end user to understand and enable/maintain such configurations is a fool's errand. These features that protect ARP need to be enabled on network infrastructure instead.

    The third flaw found has to do with the way the three US carriers' implement IPSec protection, which turns out to be vulnerable to side channel attacks that can leak private information.

    Well, of course it will be vulnerable to side channel attacks. The alternative to run a VPN on your phone, which I would do if I was on an open SSID. But why would I bother when I spend so much time and effort securing my Wifi networks?

    The fourth vulnerability, say the researchers, is a design defect in the way Wi-Fi calling standards work. Wi-Fi calling protocols are set up to only consider the quality of Wi-Fi links when initiating a connection. But once a functional link is established, a Wi-Fi calling device won't switch to the cellular network if Wi-Fi packets keep getting dropped.

    I call bollocks on this one. If there's enough packet loss, the phone doesn't think you have Internet access, which is the trigger to revert to the mobile data. It's not remotely reasonable to expect the phone to revert to mobile data every time there's any packet loss. And if you did set a threshold, is there really a point at which you can readily set one? Is 50% packet loss on one connection among many too much? 25%?

    These points are understandable, but hardly qualify as vulnerabilities. I would also point out that the issues don't really lie, in most cases, with Wifi calling itself, but with the underlying network involved.

  8. Anonymous Coward Silver badge
    Boffin

    Re: Oh boy...

    Moreso, it shouldn't matter whether the WiFi is open or not - the data should be secured enough between your phone and the phone company. Just having encryption on the local link doesn't mean anything about the rest of the link, so treat everything as insecure.

    As for the 'side-channel attacks' which boil down to detecting when a call is in progress, well duh. Just look at the volume/pattern of data flow and the destination... it's damn obvious when a call is in progress.

    So yeah, I call "publish for publicity and funding" - there's no real vulnerability here.

  9. Voland's right hand Silver badge

    Re: Oh boy...

    And if you did set a threshold, is there really a point at which you can readily set one? Is 50% packet loss on one connection among many too much? 25%?

    There is a world of difference between RTCP stats for the VOIP RTP stream and the Android or IOS perception of "there is Internet". First of all, they also take into account rtt and jitter which are at least as important than loss. Second, if RTCP is implemented in full both sides are fully aware of what their counterpart thinks about the link quality.

    If neither the phone, nor the Net can initiate handover based on VOIP quality assessment, then the system is completely broken to start off with.

  10. Anonymous Coward
    Anonymous Coward

    Re: Oh boy...

    There is a world of difference between RTCP stats for the VOIP RTP stream and the Android or IOS perception of "there is Internet".

    Really? #smh

    First of all, they also take into account rtt and jitter which are at least as important than loss. Second, if RTCP is implemented in full both sides are fully aware of what their counterpart thinks about the link quality.

    While true, my criticism would still apply, because you're talking about the VoIP client, not the MAC/PHY or TCP/IP stack. Do we really want a single application dictating every time the entire phone will flip between connections?

    If neither the phone, nor the Net can initiate handover based on VOIP quality assessment, then the system is completely broken to start off with.

    This is akin to expecting your redundant Internet to failover every time the IP PBX thinks that things aren't so great for a moment or two. In the end, it's the end user who should make the decision, with a popup recommending disabling Wifi, moving to an alternate SSID, or something similar.

  11. Waseem Alkurdi

    Use a VPN?

    Don't get us going again on the merits of giving our calls to the Kremlin by using a US-based service, or to the CIA/NSA/other TLA by using a service not claiming to be based in the US.

    * Actual TLAs and countries are subject to change as political alliances (read: opportunists spotting perceived chances) are forged and broken

  12. JohnFen Silver badge

    Re: Use a VPN?

    If your goal is to resist third party attacks rather than hiding from your ISP, then you can use a VPN that you run yourself. Then you don't have to worry about the trustworthiness of a VPN provider because you aren't using one.

    This is what I do with my phone -- all communications go through a VPN that I run at home (I use a firewall to ensure no packets get sent except through the VPN). I am still exposed to my home's ISP, of course, but otherwise my communications are always encrypted.

  13. s2bu

    VPN?

    "The third flaw found has to do with the way the three US carriers' implement IPSec protection..."

    "A practical mitigation for these attacks, the researchers say, involves running a VPN on mobile devices.."

    What, pray tell, do they think IPsec *IS USED FOR*?! They already *ARE* running a VPN!

  14. JohnFen Silver badge

    Re: VPN?

    IPSec is problematic.

    The last security review of it that I'm aware of was a very long time ago (around 2003), but at that time, it was found to have some pretty serious design flaws and the general consensus was that it shouldn't be used if another option was available.

    Perhaps things have improved since then, but until I see a new analysis reporting that the issues have been addressed, I will continue to not consider IPSec to be adequate.

  15. s2bu

    Re: VPN?

    There were issues with IKEv1, aggressive mode, and some of the various crypto methods. If you use IKEv2 and a secure crypto set, you're fine.

  16. DougS Silver badge

    Well of course VoLTE is more secure

    I can't hang a device off a carrier's VoLTE network like I can off a wifi network! I imagine there may be worse security failings in VoLTE, and much of its improved security relies on the carrier's network being much harder to access.

    This is like saying it is easier to pickpocket someone when they are walking on a public sidewalk than when they are walking down the halls of the Pentagon.

  17. doublelayer

    Meanwhile, maybe they can make it work

    While they're taking a look at this to see whether there are really any security problems that need fixing, perhaps they could make calls over WiFi functional? I frequently visit a building where mobile signal is terrible, and completely nonfunctional without leaning out a window (people literally do this). It does have comprehensive wired and WiFi network connections, though, so I figured I'd just enable WiFi calling and we'd be back to normal. Which we are in terms of quality when a call is established; it's usually very clear. The only tiny problems are that:

    1. Calls drop randomly, requiring a reconnect,

    2. After receiving and answering a call, I have to spend about five seconds waiting for the connection to happen so the person on the other end can hear me,

    3. When sending a call, there's a fifty-fifty chance that it will go through immediately with good clarity of sound or immediately drop making the person think that I've just called them and immediately hung up,

    4. When moving, and therefore changing from one AP to another, quality for the other person drops. At least they complain that they cannot hear me anymore, although I can always hear them fine.

    No, I don't know why this is, but it really isn't helping. So maybe they could figure out why and fix it. If they find security problems on the way, fix as needed.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018