VoWiFi Vulnerabilities Exposed Millions to Eavesdropping Since 2016

By Riley ThompsonTechnology News

VoWiFi Vulnerabilities Exposed Millions to Eavesdropping Since 2016

Researchers from CISPA, SBA Research, and the University of Vienna have discovered two vulnerabilities in the Voice over WiFi (VoWiFi) mobile protocol, putting the security of communications for millions of mobile phone users worldwide at risk. Although these flaws have now been fixed, the researchers have shared details of their findings.

Modern smartphones can make phone calls not only through mobile networks but also via Wi-Fi (WLAN calls), ensuring connectivity even in areas with poor cellular signal. Since 2016, nearly all major mobile carriers have offered Wi-Fi calling, which comes pre-installed on all new smartphones.

How the Vulnerabilities Worked

The vulnerabilities affected the services of 13 out of 275 mobile operators studied, including providers in Austria, Slovakia, Brazil, and Russia, putting the communications of about 140 million customers at risk.

The issue was linked to a critical network component in LTE and 5G architectures—the Evolved Packet Data Gateway (ePDG). For WLAN calls, a smartphone must register with the operator’s core network. To ensure secure registration, IPsec tunnels are established between the device and the ePDG.

These IPsec tunnels are set up in several stages, with security mainly relying on the exchange of cryptographic keys via the Internet Key Exchange (IKE) protocol. These keys are supposed to be private and randomly generated, but the operators failed to meet these requirements.

Thirteen operators used the same global set of 10 static private keys instead of random ones. An attacker with access to these keys could easily eavesdrop on communications between smartphones and operators. Any affected operator, manufacturer, and possibly security services in each country could access these keys. Networks from the Chinese provider ZTE were also at risk.

Additional Vulnerabilities in MediaTek Chips

The researchers also found another vulnerability in many new chips (including 5G) from Taiwanese manufacturer MediaTek, used in some Android smartphones from Xiaomi, Oppo, Realme, and Vivo.

The chip works with SIM cards to register users on the mobile network using VoWiFi. The researchers discovered that the encryption level on the smartphone side could be downgraded to the weakest setting through targeted attacks. Analysis of configurations from other manufacturers—Google, Apple, Samsung, and Xiaomi—showed that outdated cryptographic methods were used in up to 80% of cases.

Impact and Response

The researchers cannot confirm how many users worldwide were actually affected or eavesdropped on. They reported the issue to the GSMA system and relevant providers, giving them the opportunity to develop and deploy updates. These updates have already been installed. Only after responsible disclosure will the specialists publish their work at the USENIX Security Symposium 2024, making their results available to other researchers.

Vulnerabilities Identified

  • CVD-2024-0089 – GSMA Mobile Security Research Acknowledgements
  • CVE-2024-20069 (CVSS score: 6.5) – Selection of a less secure algorithm during negotiation (algorithm downgrade), see MediaTek June 2024 Product Security Bulletin
  • CVE-2024-22064 (CVSS score: 8.3) – Configuration error in ZTE ZXUN-ePDG

Leave a Reply