We are reader supported. External links may earn us a commission.

Android

Paper highlights VoLTE vulnerabilities: spoofing, DoS attacks, unbilled data usage

By Stephen Schenck October 19, 2015, 6:21 pm

Using high-speed, efficient LTE data networks to handle voice calls makes a lot of sense, so it’s little surprise we already see plenty of carriers supporting such VoLTE systems – a number that’s only likely to increase. But for all the promise VoLTE promises, it also represents a major shift to the way voice calls are handled by phone hardware, routed, and even billed – changes that have the potential to cause users and carriers alike a few headaches. In a recent paper, a team of researchers in South Korea and the US highlight a number of these vulnerabilities, as well as discuss ways carriers and phone makers could go about securing their systems.

For instance, right now many users taking advantage of VoLTE may have service plans offering unlimited voice minutes, but still charging users for how much data they consume. By embedding data streams within VoLTE calls, a data-cheat may be able to send large amounts of data to a remote source without it counting against his plan’s allocation.

And because VoLTE call setup and reception is handled by apps on your phone rather than the normally restricted baseband radio, it’s possible for malicious software that makes its way onto a VoLTE-enabled phone to block a user’s ability to receive calls – without the user having any on-screen indication that something’s amiss.

There’s also the potential for users who are being billed per-call to disguise video calls (which in some markets are billed distinct from voice calls) as voice traffic, and for callers initiating VoLTE calls to misrepresent their phone numbers, spoofing someone else’s identity. The researchers take the time to highlight some countermeasures companies could put in place to address many of these vulnerabilities, but with VoLTE adoption still in its infancy, it’s not clear just how seriously carriers might take all these attacks, and whether they’ll see fit to dedicating the resources to address them – concentrating instead on simply getting things working at all.

Source: Kim et al. (ACM Digital Library)
Via: Slashdot

Latest Articles

Search