Watching your call: Breaking VoLTE Privacy in LTE/5G Networks

by   Zishuai Cheng, et al.

Voice over LTE (VoLTE) and Voice over NR (VoNR) are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100 as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.


Side-Channel VoIP Profiling Attack against Customer Service Automated Phone System

In many VoIP systems, Voice Activity Detection (VAD) is often used on Vo...

Peek-a-Boo: I see your smart home activities, even encrypted!

A myriad of IoT devices such as bulbs, switches, speakers in a smart hom...

Adaptive Traffic Fingerprinting: Large-scale Inference under Realistic Assumptions

The widespread adoption of encrypted communications (e.g., the TLS proto...

Referring to Screen Texts with Voice Assistants

Voice assistants help users make phone calls, send messages, create even...

Fingerprinting Encrypted Voice Traffic on Smart Speakers with Deep Learning

This paper investigates the privacy leakage of smart speakers under an e...

Performance Comparison Between VoLTE and non-VoLTE Voice Calls During Mobility in Commercial Deployment: A Drive Test-Based Analysis

The optimization of network performance is vital for the delivery of ser...

Protecting Privacy in VANETs Using Mix Zones With Virtual Pseudonym Change

Vehicular ad hoc networks VANETs use pseudonyms to communicate among the...

Please sign up or login with your details

Forgot password? Click here to reset