Little FYI: Wi-Fi calling services on AT&T, T-Mobile US, Verizon are insecure, say boffins

Subscribers using wireless calls wide open to attack

Boffins from Michigan State University in the US and National Chiao Tung University in Taiwan have found that the Wi-Fi calling services offered by AT&T, T-Mobile US, and Verizon suffer from four security flaws that can be exploited to attack mobile phone users, leaking private information, harassing them, or interfering with service.

In a research paper distributed through preprint service ArXiv on Thursday, eight computer scientists – Tian Xie, Guan-Hua Tu, Bangjie Yin, Chi-Yu Li, Chunyi Peng, Mi Zhang, Hui Liu, and Xiaomin Liu – dismiss existing Wi-Fi calling security mechanisms. They say that defenses like storing private keys on SIM cards, 3GPP Authentication and Key Agreement, IPSec for call signaling and voice/text packets, and switching to cellular networks to defend against Wi-Fi denial of service attacks fall short.

"Given these security mechanisms, which have been well studied in the VoLTE [Voice over LTE] and cellular networks for years, it seems that the Wi-Fi calling should be as secure as the VoLTE," the researchers state in their paper. "Unfortunately, it is not the case. We have identified several security threats in the Wi-Fi calling services deployed by T-Mobile, Verizon and AT&T in the US."

They attribute the flaws to "design defects of Wi-Fi calling standards, implementation issues of Wi-Fi calling devices, and operational slips of cellular networks." And to underscore the need to improve the security of Wi-Fi calls, they point out that Wi-Fi calling is expected to surpass VoLTE and VoIP (e.g. Skype) services this year in terms of usage time.

In the attack scenario described by the researchers, the victim is a mobile user who connects to a Wi-Fi access point with a device that has a Wi-Fi calling service. Specifically, the boffins tested eight smartphone models – Samsung Galaxy S6/S7/S8/J7, Apple iPhone 6/7/8, and Google Nexus 6P – with Wi-Fi calling from AT&T, T-Mobile, and Verizon.

The attacker can be anyone with a networked device on the same subnet as the victim. For their experiment, the researchers used a software-based Wi-Fi access point on a MacBook Pro 2014 laptop and an ASUS RT-AC1900 Wi-Fi access point on several university networks, including Michigan State University, New York University, University of California Berkeley, and Northeastern University.


The first flaw identified involves the 3GPP Wi-Fi network selection mechanism, which does not exclude insecure Wi-Fi networks when choosing a network for connection. By definition, it's disadvantageous to choose to connect to an insecure network if security is a concern.

The second is that devices making Wi-Fi calls lack defenses against ARP (Address Resolution Protocol) spoofing/poisoning attacks, which the researchers say is often a precursor to a man-in-the-middle attack. A successful attack could allow an adversary to intercept the network packets associated with a Wi-Fi calling device.

The third flaw found has to do with the way the three US carriers' implement IPSec protection, which turns out to be vulnerable to side channel attacks that can leak private information. Because Wi-Fi calling is the only service carried over IPSec in this scenario, it's possible to infer the Wi-Fi call events that occur (e.g. making/receiving a call).

The fourth vulnerability, say the researchers, is a design defect in the way Wi-Fi calling standards work. Wi-Fi calling protocols are set up to only consider the quality of Wi-Fi links when initiating a connection. But once a functional link is established, a Wi-Fi calling device won't switch to the cellular network if Wi-Fi packets keep getting dropped. This allows an adversary to force Wi-Fi callers to remain on a malicious Wi-Fi network with degraded service.

A practical mitigation for these attacks, the researchers say, involves running a VPN on mobile devices. Upgrading Wi-Fi calling standards would be a more comprehensive fix but that won't happen quickly.

The boffins say they've informed the telecom companies and device makers about their findings and are awaiting a response. Google, they say, answered already, classifying the DoS vulnerability as a low-severity issue to be fixed at the next opportunity.

The Register asked AT&T, T-Mobile US, and Verizon for comment. We've yet to hear back. ®

Similar topics

Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022