VoWiFi Vulnerabilities Exposed: Millions of Mobile Users at Risk
Researchers from CISPA, SBA Research, and the University of Vienna have identified two vulnerabilities in the mobile Voice over WiFi (VoWiFi) protocol that jeopardize the security of communications for millions of mobile phone users worldwide. Although these flaws have now been addressed, the scientists have disclosed their findings.
Modern smartphones can establish telephone connections not only through mobile networks but also via Wi-Fi (WLAN calls), ensuring connectivity even in areas with poor signal. Since 2016, nearly all major mobile carriers have offered Wi-Fi calling, pre-installed on all new smartphones.
The vulnerabilities affected the services of 13 out of 275 mobile operators studied, including those in Austria, Slovakia, Brazil, and Russia, compromising the security of communications for approximately 140 million customers.
The flaw is associated with a critical network component in LTE and 5G network architecture – the Evolved Packet Data Gateway (ePDG). For WLAN calls, the smartphone must register with the operator’s core network. To ensure secure registration, IPsec tunnels are established between the device and the ePDG.
IPsec tunnels are constructed in several stages. The security of the connection is primarily ensured by exchanging cryptographic keys via the Internet Key Exchange (IKE) protocol. These keys are supposed to be private and random, but operators failed to meet these conditions.
Thirteen operators used the same global set of 10 static private keys instead of random ones. An attacker possessing these keys could easily eavesdrop on communications between smartphones and operators. The affected operators, manufacturers, and possibly the security services of each country had access to these keys. The networks of the Chinese provider ZTE were also compromised.
Additionally, researchers found another vulnerability in many new chips (including 5G) from the Taiwanese manufacturer MediaTek, used in some Android smartphones from Xiaomi, Oppo, Realme, and Vivo.
The chip works with the SIM card to register users in the mobile network using VoWiFi. Scientists discovered that the encryption level on the smartphone side could be downgraded to the weakest level through targeted attacks. An analysis of configurations from other manufacturers, such as Google, Apple, Samsung, and Xiaomi, revealed that outdated cryptographic methods were used in up to 80% of cases.
Researchers cannot confirm how many users worldwide have been affected by attacks or eavesdropped on. The scientists reported the issue to the GSMA system and relevant providers, allowing them to develop updates. These updates have already been installed. Only after responsible disclosure will the specialists publish their work at the USENIX Security Symposium 2024, making their results available to other researchers.
Vulnerabilities:
- CVD-2024-0089 – GSMA Mobile Security Research Acknowledgements
- CVE-2024-20069 (CVSS score: 6.5) – Weaker algorithm selection during negotiation (algorithm downgrade) in the MediaTek June 2024 Product Security Bulletin
- CVE-2024-22064 (CVSS score: 8.3) – Configuration error in ZTE ZXUN-ePDG
