Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling

Wi-Fi Calling, used to make and receive calls over the Wi-Fi network, has been widely adopted and deployed to extend coverage and increase capacity in weak signal areas by moving traffic from LTE to Wi-Fi networks. However, the security of Wi-Fi calling mechanism has not fully analyzed and inherently has greater security risks than conventional LTE calling. To provide secure connections with confidentiality and integrity, Wi-Fi Calling leverages the IETF protocols IKEv2 and IPsec. In this work, we analyze the security of Wi-Fi calling specifications and discover several vulnerabilities that allow an adversary to track the location of users and perform DoS attacks. By setting up a rogue access point in live testbed environment, we observe that user devices can leak the International Mobile Subscriber Identity (IMSI), despite it being encrypted. The leaked information can be further exploited for tracking user locations. We also discuss how these protocols are vulnerable to several denial of service attacks. To protect user privacy and services against these attacks, we propose practical countermeasures. We also present trade-off considerations that pose challenges for us to apply countermeasures to mitigate the existing vulnerabilities. Additionally, we propose to introduce corresponding amendments for future specifications of protocols to address these trade-offs.