Mobile networks are continuously evolving. While new 5G networks are just getting started, the most popular mobile technology is still LTE with VoLTE extension for voice communications. The VoLTE service is based on the IMS core. Moreover, the IMS becomes the only standard for the voice communications on the 4G/5G mobile networks.
The VoLTE was always considered as a highly secure network because it was assumed the IMS is isolated from the public networks. However, our research demonstrates that an intruder is able not only execute attacks on VoLTE subscribers but also hijack the whole network. Having the hijacked VoLTE network, the intruder can provide their own mobile services using the LTE radio coverage of the victim mobile operator.
Unlike attacks on signaling protocols such as SS7, Diameter, and GTP, the VoLTE hack does not require any specific expensive connections to IPX/GRX providers. Apart from a computer with open-source software, the intruder needs to use an LTE-dongle only. This additional equipment costs not more than $50.
In this presentation, we will describe how the intruder is able to get access to the IMS network. Having this access, the intruder can obtain information about VoLTE subscribers and get access to these mobile devices. Developing the attack, intruder can deploy the IMS core open-source software to provide voice call service bypassing the operator’s IMS core and billing system.
The results of this research have not been published previously.
Pavel Novikov: 10 years in telecom security, co-author of GSMA FS.20 Document. Head of telecom security research in SecurityGen Focused on telecom vulnerabilities: RAN, VoLTE, VoWiFi, GTP, Diameter, 5G SA and NSA. Conducting telecom security assessments for mobile operators for many years.