IMS is Not That Secure on Your 5G/4G Phones
Authors: 
Jingwen Shi, Sihan Wang, Min-Yue Chen, Guan-Hua Tu, Tian Xie, Man-Hsin Chen, Yiwen Hu, Chi-Yu Li, Chunyi PengAuthors Info & Claims
Jingwen Shi, Sihan Wang, Min-Yue Chen, Guan-Hua Tu, Tian Xie, Man-Hsin Chen, Yiwen Hu, Chi-Yu Li, Chunyi PengAuthors Info & ClaimsPages 513 - 527
Abstract
IMS (IP Multimedia Subsystem) is vital for delivering IP-based multimedia services in mobile networks. Despite constant upgrades by 3GPP over the past two decades to support heterogeneous radio access networks (e.g., 4G LTE, 5G NR, and Wi-Fi) and enhance IMS security, the focus has primarily been on cellular infrastructure. Consequently, IMS security measures on mobile equipment (ME), such as smartphones, lag behind rapid technological advancements. Our study reveals that mandated IMS security measures on ME fail to keep pace, resulting in new vulnerabilities and attack vectors, including denial of service (DoS) across all networks, named SMS source spoofing, and covert communications over Video-over-IMS attacks. All vulnerabilities and proof-of-concept attacks have been experimentally validated in operational 5G/4G networks across various phone models and network operators. Finally, we propose and prototype standard-compliant remedies for these vulnerabilities.
References
[1]
20 android statistics in 2024 (market share and users). https://www.demandsage.com/android-statistics/, 2023.
[2]
Federal Phone Call Recording Law. https://www.justice.gov/archives/jm/criminal-resource-manual-1050-scope-18-usc-2511-prohibitions, 2020.
[3]
srsran 4g with zmq virtual radios. https://docs.srsran.com/projects/4g/en/latest/app_notes/source/zeromq/source/index.html#zeromq-appnote, 2023.
[4]
tc-fw(8) --- Linux manual page. https://man7.org/linux/man-pages/man8/tc-fw.8.html,.
[5]
Kingroot. https://kingrootapp.net/, Jan 2024.
[6]
3GPP. TS 23.125: Overall high level functionality and architecture impacts of flow based charging; Stage 2 (Release 7), Jun. 2007. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=790.
[7]
3GPP. TS33.328: IP Multimedia Subsystem (IMS) media plane security, Nov. 2018. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2295.
[8]
3GPP. TS24.011: Point-to-Point (PP) Short Message Service (SMS) support on mobile radio interface, Nov. 2019. https://www.etsi.org/deliver/etsi_ts/124000_124099/124011/15.03.00_60/ts_124011v150300p.pdf.
[9]
3GPP. TS 23.203: Policy and charging control architecture, Mar. 2021. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=810.
[10]
3GPP. TS 26.139: Real-time Transport Protocol (RTP) / RTP Control Protocol (RTCP) verification procedures (Release 17), Apr. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3709.
[11]
3GPP. TS 29.228: IP Multimedia (IM) Subsystem Cx and Dx Interfaces; Signalling flows and message contents, Mar. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1681.
[12]
3GPP. TS 33.102: 3G security; Security architecture, March 2022. V17.0.0.
[13]
3GPP. TS 33.203: 3G security; Access security for IP-based services (Release 17), Mar. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1055.
[14]
3GPP. TS 33.210: Network Domain Security (NDS); IP network layer security, Sep. 2022. V17.1.0.
[15]
3GPP. TS 33.401: 3GPP System Architecture Evolution (SAE); Security architecture (Release 17), Sep. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2296.
[16]
3GPP. TS 33.501: Security architecture and procedures for 5G System (Release 18), Mar. 2022. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3169.
[17]
3GPP. TS 23.228: IP Multimedia Subsystem (IMS); Stage 2 (Release 18), Mar. 2023. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=3100.
[18]
3GPP. TS 24.008: Mobile radio interface Layer 3 specification; Core network protocols; Stage 3 (Release 18), Apr. 2023. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1015.
[19]
3GPP. TS 24.229: IP multimedia call control protocol based on Session Initiation Protocol (SIP) and Session Description Protocol (SDP); Stage 3 (Release 18), Apr. 2023. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1055.
[20]
3GPP. TS 24.341: Support of SMS over IP networks; Stage 3 (Release 18), Jan. 2023. https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1085.
[21]
3GPP2. 3GPP2 C.S0015-A: Short Message Service (SMS) for Wideband Spread Spectrum Systems Release A, Sep. 2004. https://www.3gpp2.org/Public_html/Specs/C.S0015-A_v2.0_051006.pdf.
[22]
Jaejong Baek, Sukwha Kyung, Haehyun Cho, Ziming Zhao, Yan Shoshitaishvili, Adam Doupé, and Gail-Joon Ahn. Wi not calling: Practical privacy and availability attacks in wi-fi calling. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC '18, page 278--288, New York, NY, USA, 2018. Association for Computing Machinery.
[23]
Evangelos Bitsikas and Christina Pöpper. You have been warned: Abusing 5g's warning and emergency systems. In Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC '22, page 561--575, New York, NY, USA, 2022. Association for Computing Machinery.
[24]
Fabio Cecchinato, Lorenzo Vangelista, Giulio Biondo, and Mauro Franchin. Anomaly detection using lstm neural networks: an application to voip traffic. In 2021 IEEE International Conference on Recent Advances in Systems Science and Engineering (RASSE), pages 1--7, 2021.
[25]
Haotian Deng, Weicheng Wang, and Chunyi Peng. Ceive: Combating caller id spoofing on 4g mobile phones via callee-only inference and verification. In Proceedings of the 24th Annual International Conference on Mobile Computing and Networking, MobiCom '18, page 369--384, New York, NY, USA, 2018. Association for Computing Machinery.
[26]
Google. Android security paper 2023. https://blog.google/products/android-enterprise/android-security-paper-2023/, Jan 2023.
[27]
GSMA. RCS Universal Profile Service Definition Document, Oct. 2019. https://www.gsma.com/futurenetworks/wp-content/uploads/2019/10/RCC.71-v2.4.pdf.
[28]
GSMA. IMS Profile for Voice and SMS. https://www.gsma.com/newsroom/wp-content/uploads/IR.92-v15.0-4.pdf, 2020.
[29]
Yiwen Hu, Min-Yue Chen, Guan-Hua Tu, Chi-Yu Li, Sihan Wang, Jingwen Shi, Tian Xie, Li Xiao, Chunyi Peng, Zhaowei Tan, and Songwu Lu. Uncovering insecure designs of cellular emergency services (911). In Proceedings of the 28th Annual International Conference on Mobile Computing And Networking, MobiCom '22, page 703--715, New York, NY, USA, 2022. Association for Computing Machinery.
[30]
Hongil Kim, Dongkwan Kim, Minhee Kwon, Hyungseok Han, Yeongjin Jang, Dongsu Han, Taesoo Kim, and Yongdae Kim. Breaking and fixing volte: Exploiting hidden data channels and mis-implementations. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, page 328--339, New York, NY, USA, 2015. Association for Computing Machinery.
[31]
Gyuhong Lee, Jihoon Lee, Jinsung Lee, Youngbin Im, Max Hollingsworth, Eric Wustrow, Dirk Grunwald, and Sangtae Ha. This is your president speaking: Spoofing alerts in 4g lte networks. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys '19, page 404--416, New York, NY, USA, 2019. Association for Computing Machinery.
[32]
Chi-Yu Li, Guan-Hua Tu, Chunyi Peng, Zengwen Yuan, Yuanjie Li, Songwu Lu, and Xinbing Wang. Insecurity of voice solution volte in lte mobile networks. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15, page 316--327, New York, NY, USA, 2015. Association for Computing Machinery.
[33]
Yu-Han Lu, Chi-Yu Li, Yao-Yu Li, Sandy Hsin-Yu Hsiao, Tian Xie, Guan-Hua Tu, and Wei-Xun Chen. Ghost calls from operational 4g call systems: Ims vulnerability, call dos attack, and countermeasure. In Proceedings of the 26th Annual International Conference on Mobile Computing and Networking, MobiCom '20, New York, NY, USA, 2020. Association for Computing Machinery.
[34]
Jamila Manan, Atiq Ahmed, Ihsan Ullah, Leïla Merghem-Boulahia, and Dominique Gaïti. Distributed intrusion detection scheme for next generation networks. Journal of Network and Computer Applications, 147:102422, 2019.
[35]
T. Mrugalski, M. Siodelski, and et al. Dynamic Host Configuration Protocol for IPv6 (DHCPv6), 2018. https://datatracker.ietf.org/doc/html/rfc8415.
[36]
Sancheng Peng, Shui Yu, and Aimin Yang. Smartphone malware and its propagation modeling: A survey. IEEE Communications Surveys & Tutorials, 16(2):925--941, 2014.
[37]
Qualcomm. Qxdm professional tool quick start. https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/80-n9471-1_d_qxdm_professional_tool_quick_start.pdf, Jan 2024.
[38]
Juniper Research. Video calling demand booms during pandemic. https://pipelinepub.com/news/12307, Jan 2024.
[39]
RFC. Internet Protocol, 1981. https://datatracker.ietf.org/doc/html/rfc791.
[40]
David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. Call me maybe: eavesdropping encrypted lte calls with revolte. In Proceedings of the 29th USENIX Conference on Security Symposium, SEC'20, USA, 2020. USENIX Association.
[41]
srsRAN. srsue. https://docs.srsran.com/projects/4g/en/latest/usermanuals/source/srsue/source/1_ue_intro.html, Jan 2023.
[42]
Qibo Sun, Shangguang Wang, Ning Lu, Kok-Seng Wong, and Myung Ho Kim. Sfads: A sip flooding attack detection scheme with the internal and external detection features in ims networks. Journal of Internet Technology, 17(7):1327--1338, 2016.
[43]
Guan-Hua Tu, Chi-Yu Li, Chunyi Peng, Yuanjie Li, and Songwu Lu. New security threats caused by ims-based sms service in 4g lte networks. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS '16, page 1118--1130, New York, NY, USA, 2016. Association for Computing Machinery.
[44]
Sihan Wang, Guan-Hua Tu, Xinyu Lei, Tian Xie, Chi-Yu Li, Po-Yi Chou, Fucheng Hsieh, Yiwen Hu, Li Xiao, and Chunyi Peng. Insecurity of operational cellular iot service: new vulnerabilities, attacks, and countermeasures. In Proceedings of the 27th Annual International Conference on Mobile Computing and Networking, MobiCom '21, page 437--450, New York, NY, USA, 2021. Association for Computing Machinery.
[45]
Wikipedia. STIR/SHAKEN. https://en.wikipedia.org/wiki/STIR/SHAKEN,.
[46]
Wikipedia. Darwin (operating system). https://en.wikipedia.org/wiki/Darwin_(operating_system), Feb 2024.
[47]
Wikipedia. ios. https://www.apple.com/iphone-15/specs/, Jan 2024.
[48]
Wikipedia. Qualcomm msm interface. https://en.wikipedia.org/wiki/Qualcomm_MSM_Interface, Jan 2024.
[49]
Wikipedia. Steganography. https://en.wikipedia.org/wiki/Steganography, Jan 2024.
[50]
John Wu. Magisk. https://github.com/topjohnwu/Magisk, Jan 2024.
[51]
T. Xie, G. Tu, C. Li, C. Peng, J. Li, and M. Zhang. The dark side of operational wi-fi calling services. In 2018 IEEE Conference on Communications and Network Security (CNS), pages 1--1, May 2018.
[52]
Tian Xie, Guan-Hua Tu, Bangjie Yin, Chi-Yu Li, Chunyi Peng, Mi Zhang, Hui Liu, and Xiaoming Liu. The untold secrets of wifi-calling services: Vulnerabilities, attacks, and countermeasures. IEEE Transactions on Mobile Computing, 20(11):3131--3147, 2021.
[53]
Tian Xie, Sihan Wang, Xinyu Lei, Jingwen Shi, Guan-Hua Tu, and Chi-Yu Li. Mpkix: Towards more accountable and secure internet application services via mobile networked systems. IEEE Transactions on Mobile Computing, 22(6):3489--3507, 2023.
Index Terms
- IMS is Not That Secure on Your 5G/4G Phones
Recommendations
DoS attacks exploiting signaling in UMTS and IMS
The Universal Mobile Telecommunication Standard (UMTS) is continuously evolving to meet the growing demand of modern mobile and Internet applications for high capacity and advanced features in security and quality of service. Although admittedly ...
Improving 4G/5G air interface security: A survey of existing attacks on different LTE layers
AbstractThe 4G/Long Term Evolution (LTE) has become the dominant mobile access technology worldwide so far, while the development of the 5G/NR (New Radio) cellular network is also accelerating. Like the previous generations of mobile networks, ...
Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-implementations
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityLong Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE ...
Comments
Information & Contributors
Information
Published In
December 2024
2476 pages
ISBN:9798400704895
DOI:10.1145/3636534
- Chair:
- Weisong Shi,
- Program Chairs:
- Deepak Ganesan,
- Nicholas Lane
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 May 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
Conference
ACM MobiCom '24
Sponsor:
ACM MobiCom '24: 30th Annual International Conference on Mobile Computing and Networking
November 18 - 22, 2024
DC, Washington D.C., USA
Acceptance Rates
Overall Acceptance Rate 440 of 2,972 submissions, 15%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 923Total Downloads
- Downloads (Last 12 months)923
- Downloads (Last 6 weeks)163
Reflects downloads up to 25 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in