Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments

TL;DR

This paper analyzes the security of key exchange protocols in commercial VoWiFi deployments, revealing widespread use of static private keys and fallback modes that weaken security in real-world systems.

Contribution

It provides an empirical analysis of phase 1 IPsec key exchange implementations in VoWiFi, uncovering insecure practices and common vulnerabilities across multiple operators and devices.

Findings

Identified fallback to weak, unannounced modes in 5G baseband chipsets.

Discovered 13 operators using the same static private keys, risking widespread decryption.

Demonstrated that many deployments rely on insecure key exchange configurations.

Abstract

Voice over Wi-Fi (VoWiFi) uses a series of IPsec tunnels to deliver IP-based telephony from the subscriber's phone (User Equipment, UE) into the Mobile Network Operator's (MNO) core network via an Internet-facing endpoint, the Evolved Packet Data Gateway (ePDG). IPsec tunnels are set up in phases. The first phase negotiates the cryptographic algorithm and parameters and performs a key exchange via the Internet Key Exchange protocol, while the second phase (protected by the above-established encryption) performs the authentication. An insecure key exchange would jeopardize the later stages and the data's security and confidentiality. In this paper, we analyze the phase 1 settings and implementations as they are found in phones as well as in commercially deployed networks worldwide. On the UE side, we identified a recent 5G baseband chipset from a major manufacturer that allows for fallback to weak, unannounced modes and verified it experimentally. On the MNO side -- among others -- we identified 13 operators (totaling an estimated 140 million subscribers) on three continents that all use the same globally static set of ten private keys, serving them at random. Those not-so-private keys allow the decryption of the shared keys of every VoWiFi user of all those operators. All these operators deployed their core network from one common manufacturer.