Voice over LTE (VoLTE) and Voice over NR (VoNR) are two similar technologies that have been widely deployed by operators to provide a better calling experience in LTE and 5G networks, respectively. The VoLTE/NR protocols rely on the security features of the underlying LTE/5G network to protect users' privacy such that nobody can monitor calls and learn details about call times, duration, and direction. In this paper, we introduce a new privacy attack which enables adversaries to analyse encrypted LTE/5G traffic and recover any VoLTE/NR call details. We achieve this by implementing a novel mobile-relay adversary which is able to remain undetected by using an improved physical layer parameter guessing procedure. This adversary facilitates the recovery of encrypted configuration messages exchanged between victim devices and the mobile network. We further propose an identity mapping method which enables our mobile-relay adversary to link a victim's network identifiers to the phone number efficiently, requiring a single VoLTE protocol message. We evaluate the real-world performance of our attacks using four modern commercial off-the-shelf phones and two representative, commercial network carriers. We collect over 60 hours of traffic between the phones and the mobile networks and execute 160 VoLTE calls, which we use to successfully identify patterns in the physical layer parameter allocation and in VoLTE traffic, respectively. Our real-world experiments show that our mobile-relay works as expected in all test cases, and the VoLTE activity logs recovered describe the actual communication with 100% accuracy. Finally, we show that we can link network identifiers such as International Mobile Subscriber Identities (IMSI), Subscriber Concealed Identifiers (SUCI) and/or Globally Unique Temporary Identifiers (GUTI) to phone numbers while remaining undetected by the victim.
翻译:LTE (VoLTE) 和 NR (VoNR) 的语音( VoLTE) 是两种类似的技术, 运营商广泛使用, 以提供LTE 和 5G 网络更好的调用经验。 VoLTE/ NR 协议依靠LTE/5G 网络的基本安全特征来保护用户隐私, 这样没有人能够监控电话, 了解通话时间、 持续时间和方向的细节。 在本文中, 我们引入一种新的隐私攻击, 使对手能够分析加密的 LTE/5G 临时流量, 并恢复VoLTE/ NR 调用的细节。 我们通过安装新型的移动校对对手, 通过使用改进的物理层测测图程序, 能够保持更准确的移动校对。 我们通过运行了60小时的移动网络, 并成功将我们的移动路路路路段定位为我们运行轨道/ 。 我们通过四台的网络和两个具有代表性的网络, 我们通过运行了60小时的移动路段运行模式, 运行了我们的移动路段, 我们的轨道记录显示我们的移动路段。