IMS / VOLTE infrastructure penetration test

In a VOLTE network, voice calls are transported as IP packets using the SIP protocol, instead of the traditional circuit switched way. New nodes are used in this process, such as the P-CSCF or the VOLTE-to-CS gateway, part of the IMS infrastructure.

The MEs access these nodes through special data bearers, one used for signaling and sometimes others dedicated to RTP payload.

Unlike for our SS7, Diameter and GTP penetration tests, the attacks on the VOLTE and the IMS infrastructure are not conducted from interfaces exposed for roaming, but from the ME itself. MEs are within easy reach of a larger number of attackers, as no special relationship with a roaming partner or special connectivity is required! Rather, the attacker can gain access to critical nodes in the infrastructure by simply purchasing a retail subscription from the target operator.
While traffic between the ME and the IMS nodes is typically encrypted in an IPSEC VPN, various methods exist to breach this VPN due to the fact that the attacker has physical access to the ME which can be rooted and/or modified.

After first breaching the VPN for the test subscriptions, and ensuring communication with the IMS nodes, the IMS-VOLTE vulnerability assessment consists in executing various attack scenarios, many of them SIP based, on the two test subscriptions provided, without any service impact on the operator’s infrastructure and other live subscribers.
A large number of possible attacks and parameters often result in at least some type of vulnerability being discovered on most networks, even after they have passed previous security audits successfully!