Never Gonna Give You Up: Exploring Deprecated NULL Ciphers in Commercial VoWiFi Deployments

TL;DR

This paper investigates security misconfigurations, especially deprecated NULL ciphers, in commercial VoWiFi deployments that could compromise the confidentiality and integrity of voice communications over Wi-Fi.

Contribution

It provides an analysis of security configurations in VoWiFi deployments, highlighting the presence of deprecated NULL ciphers that weaken security.

Findings

Identification of deprecated NULL ciphers in VoWiFi deployments

Evidence of misconfigurations undermining communication security

Recommendations for improving security configurations

Abstract

In today's cellular network evolutions, such as 4G and 5G, the IMS (IP Multimedia Subsystem) serves as a crucial component in managing voice calls and handling short messages. Besides accessing the IMS over the traditional radio layer, many operators use Voice over Wi-Fi (VoWiFi) allowing customers to dial into their core network over the public Internet using an (insecure) Wi-Fi connection. To protect against malicious actors on the WiFi or Internet domain, the traffic is sent over a series of IPsec tunnels, ensuring confidentiality and integrity. Similar to other encrypted protocols (e.g. TLS), the client and server use a handshake protocol (i.e., IKEv2) to communicate their supported security configurations and to agree upon the used parameters (e.g., keys or an encryption algorithm) for the ongoing session. This however opens the door for security vulnerabilities introduced by misconfiguration. We want to analyze security configurations within commercial VoWiFi deployments, both on the client and server side, spotting deprecated configurations that undermine communication security.