The evolution of VoLTE and VoLTE roaming
VoLTE has been part of the telecoms landscape for over a decade. In the early days of LTE, many mobile operators didn't prioritize support for VoLTE. They designed their LTE networks first and foremost for data services rather than native voice capabilities.
Instead, operators relied on the 2G and 3G fallback method called Circuit Switched FallBack (CSFB) for voice calls. LTE devices would "fall back" to 2G or 3G networks when making voice calls. This setup - 2G and 3G for voice, LTE for data - worked well for operators and users alike.
Retiring 2G and 3G networks
The advent of newer 4G and 5G networks has exposed the limited functionality of older 2G and 3G networks. Operators around the world are therefore shutting down their 2G and 3G networks to free up valuable spectrum and capacity for faster, more efficient 4G and 5G networks.
Initially, the decision to retire either 2G or 3G networks in favour of LTE passed without incident. In cases where only one of either the 2G or the 3G network was decommissioned, the fallback mechanism ensured uninterrupted voice calls.
However, in countries where operators plan to retire both 2G and 3G, VoLTE becomes the sole method for delivering mobile voice calling. This throws up new operational challenges for operators to deal with – including the security of their customers and their networks.
Challenges of VoLTE roaming
In countries like the USA that invested heavily in LTE, the shift to VoLTE as the primary voice service has been relatively smooth. However, operators in other countries and regions face the challenge of ensuring voice services for their subscribers who travel to countries that have phased out 2G and 3G networks.
Roaming subscribers from regions and countries that still use 2G and 3G find themselves isolated when visiting places that have mothballed these networks. They can’t make calls or send SMS, which can have serious implications for personal contact, security, and access to essential services when abroad.
This situation has prompted operators to expedite the integration of VoLTE into their networks. However, in their haste to implement VoLTE, operators now risk overlooking critical security considerations and potentially exposing vulnerabilities in their networks.
Security concerns with VoLTE and VoLTE roaming
The legacy mindset of some operators means they assume that their infrastructure is closed off to everyone - subscribers, the internet, and all external threats. Consequently, when it comes to more open all-IP networks and services, such as VoLTE, these same operators may leave out in-depth cybersecurity measures, including proper segmentation, firewalls, and Access Control Lists (ACLs) for routers and switches.
Operators also frequently make light of the fact that VoLTE infrastructure is accessible to subscribers. As a telecom cybersecurity expert, we conduct over 100 assessments and continuous research to understand new telco threats and vulnerabilities. Through various VoLTE security assessments, we've uncovered management interfaces and unnecessary services often accessible to ordinary VoLTE network subscribers. Below are examples of very basic security configuration mistakes which we witnessed during such assessments by our expert team:
- Many network nodes expose services like SSH, FTP, X11, and web management interfaces to regular subscribers
- Inadequate segmentation within the VoLTE network, which even novice users could identify. A closer examination uncovered improper P-CSCF configurations and a lack of encryption, potentially allowing end-users to access internal node identities during registration
These issues extend beyond internal infrastructure. VoLTE misconfigurations can leak other subscriber information: during a VoLTE call, it's possible to obtain details such as the caller's phone model, the device’s firmware version, and even the caller’s location via Cell-ID.
Retrieving such sensitive information doesn't require expert hacking skills. A simple nmap-scan and passive packet analysis from the subscriber side is enough.
Securing the future of VoLTE
To ensure secure VoLTE roaming, operators need to implement concerted mitigation measures, configurations, and security controls. Conducting a security audit of the VoLTE network is the initial step in identifying potential vulnerabilities. This proactive measure allows operators to discover and address hidden vulnerabilities with the necessary protection measures. Moreover, the audit results serve as a foundation for planning more robust, forward-looking security solutions.
Given the ease with which an adversary can breach a VoLTE network versus the global rush for VoLTE roaming, operators integrating VoLTE into their 4G networks need to make security a strategic and operational priority. They cannot dismiss VoLTE security as a mere box ticking exercise but instead should approach it as a comprehensive process with a special focus on security audits and adhering with VoIP security standards and guidelines, such as GSMA's FS.38.
The following essential measures all contribute to a more secure VoLTE roaming experience:
- Proper network segmentation to prevent subscribers from accessing the IMS (IP Multimedia Subsystem) infrastructure
- Encryption of VoIP traffic to ensure data security against interception
- Deployment of advanced signalling firewalls and SIP routing (P-CSCF) configurations to safeguard the IMS network from attacks
- Regular software updates to prevent exploitation of known vulnerabilities
- Ongoing monitoring and auditing of the IMS network to discover and address potential vulnerabilities
A methodical and thoughtful approach with security at its core is essential for operators aiming to achieve a seamless, secure, and sustainable VoLTE roaming rollout.
