Insecurity of Operational IMS Call Systems: Vulnerabilities, Attacks, and Countermeasures

IMS (IP Multimedia Subsystem) is an essential 4G/5G component to offer multimedia services. It is used worldwide to support two call services: VoLTE (Voice over LTE) and VoWiFi (Voice over WiFi). In this study, it is shown that the signaling and voice sessions of VoWiFi can both be hijacked by a malicious adversary. By hijacking the signaling session, s(he) gains the ability to make ghost calls to launch stealthy DoS (Denial of Service) or caller-ID spoofing attacks against specific cellular users. Such attacks can be carried out without any malware or network information, and require only the victim's phone number to be known. It is shown that phones vulnerable to the call DoS attacks can be detected at run time by exploiting a vulnerability of cellular network infrastructures referred to as call information leakage, which is exposed based on a machine learning method. Especially, the call DoS attacks can prevent victims from receiving incoming calls for up to 99.0% time without user awareness. Moreover, by hijacking the voice session, an adversary can launch stealthy free data transfer attacks based on phone numbers alone rather than IP addresses. The identified vulnerabilities/attacks are validated in the operational 4G networks of four top-tier carriers across Asia and North America with seven phone brands. The study concludes by presenting a suite of solutions to address them.