x
Mobile security

2014: A VoLTE Security Nightmare?

NEW YORK – Mobile Network Security Strategies – On Voice-over-LTE, no one can hear you scream.

Upcoming 4G packet voice services were highlighted as a significant new security risk in a panel discussion Thursday in New York on threats to the LTE network, devices, and users. Speakers from Cloudmark Inc. , Juniper Networks Inc. (NYSE: JNPR), Nokia Networks , and Symantec Corp. (Nasdaq: SYMC) all agreed that VoLTE has the potential to be a threat as the services are deployed

"It's opening a Pandora's Box," stated Basheer Nasir Ahmed, senior solutions manager at NSN.

Potential attacks include caller ID spoofing and distributed denial-of-service (DDoS) attacks. "Telephony DoS [or] TDoS," suggested John Veizades, senior product manager of mobile security at Juniper Networks, "is a can of worms."

Operators are just now starting to introduce call services over the all-IP LTE network and are planning the slow move away from circuit-switched voice calls over 3G and 2G technology.

Operators in Asia, Europe, and the US are planning to start VoLTE services over the next few years. Hong Kong operator CSL became one of the first to offer VoLTE services on Thursday. (See VoLTE Hits Hong Kong.)

— Dan Jones, Mobile Editor, Light Reading

Page 1 / 2   >   >>
Sarah Thomas 12/6/2013 | 7:56:34 AM
Why so serious? Haha, this might be the most terrifying lede I've ever read! Since VoLTE is just another data service on 4G, how are the attacks different than those that would affect other services? Is it just that they interupt, or corrupt, a valuable service -- communications?
DanJones 12/6/2013 | 11:24:20 AM
Re: Why so serious? Yeah, basically, it wouldn't be possible to do a DDOS attack on 2G/3G. There were ways to spoof the old POTS network but you had to be a serious geek to make it happen.
spc_isdnip 12/6/2013 | 11:58:47 AM
VuIP needs to be ISOLATED The cellular folks are bleeding imbeciles if they are putting VoLTE into the same iP stream as the Internet!  High-tier VoIP, better known as VuIP, always ALWAYS isolates the voice flow from the Internet, at a lower layer.  It is tyipcally done via MPLS.  Voice flow should not even have a public IP address; it should be a local "net 10" address.

Of course the GSMA folks behind this fustercluck are the same ones who decided to use IMS (the Rube Goldberg Protocol Stack) as the model.  They do great work down in the RF layers, their field of expertise, but they understand higher layers and switching about as well as the average Cisco-certified router tech understands MIMO beamforming.  So if they confused VoIP (Vonage, voice over "the top" on a best-efforts open IP network, low-tier works when it feels like it) with VuIP (voice using IP, high tier using managed private capacity and IP as just a muxing stub), then they're just utterly incompetent and we should not assume that it will work out of the box.
DanJones 12/6/2013 | 12:36:37 PM
Re: VuIP needs to be ISOLATED I'm relatively certain the carriers will want to make sure this is fixed, doncha think?
brookseven 12/6/2013 | 1:22:46 PM
Re: VuIP needs to be ISOLATED http://en.wikipedia.org/wiki/Denial-of-service_attack

 

I just wanted to let you know your first D of DDoS is defined incorrectly in the article.  Its Distributed Denial of Service.  Not Dedicated.  The big difference is that shutting down one source is a lot easier than shutting down 1000.

seven
DanJones 12/6/2013 | 1:45:50 PM
Re: VuIP needs to be ISOLATED My fault. I just wrote DDOS and didn't spell it out. Thanks for spotting it, just fixed it.
spc_isdnip 12/6/2013 | 2:47:55 PM
Re: VuIP needs to be ISOLATED Vulnerability to DDoS is cnaracteristic of the public Internet.  An isolated network is safe.  So if they want VoLTE to not be subject to DDoS, thas to not be on the Internet.
DanJones 12/6/2013 | 4:18:12 PM
Re: VuIP needs to be ISOLATED That's some catch then, if I'm understanding you correctly, the whole raison d'etre of LTE is marrying phones and the Internet, no?
DanJones 12/6/2013 | 4:20:43 PM
Hat tip to Diametriq

I like it!

Diametriq @Diametriq

"@Dan_LRMobile: On #VoLTE no one can hear you scream! http://add.vc/ddT  via @Light_Reading" < or rather everyone ...

spc_isdnip 12/6/2013 | 5:32:52 PM
Re: VuIP needs to be ISOLATED No. The raison d'etre of LTE is getting more eficiency out of spectrum by employing modulation techniques that were impractical in the 3G era but are now possible thanks to Moore's Law and more DSP cycles.  LTE features OFDM (vs. CDMA, nice but not quite as powerful), MIMO, and smart antennas. 

The resulting bit rates are of course mostly needed for data applications. But telephone calls still need to be made, and telephony requires the kind of low-jitter low-loss QoS that best-efforts IP can't deliver.  Atop that, the Internet is a sewer, subject to malware and DDoS, which needs to be kept away from the PSTN. So while it's perfectly rational to use IP within the muxing stream of the voice, it makes no sense to expose it to the Internet.  Anyone who designs wireline networks understands that -- it drives a lot of MPLS, Carrier Ethernet, and other isolation technologies.

Look at PacketCable for an example.  Same PMD, but QoS via time slot management, and it goes into separate private IP pipes from the pubilc Internet. Works great.  What's stupid is that PacketCable 2 is trying to be more like VoLTE, by using RubeIMS, though it's still kept isolated from the script kiddies.
Page 1 / 2   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE