VWAttacker: A Systematic Security Testing Framework for Voice over WiFi User Equipments

TL;DR

VWAttacker is a comprehensive framework that systematically tests VoWiFi user devices for security vulnerabilities using property-guided adversarial testing, automated property extraction, and mutation techniques, revealing critical security flaws.

Contribution

It introduces the first systematic security testing framework for VoWiFi UEs, combining a testbed, LLM-based property extraction, and adversarial testing to uncover vulnerabilities.

Findings

Detected 13 security issues in 21 UEs

Discovered vulnerabilities allowing identity exposure and weak channels

One vulnerability acknowledged by MediaTek with high severity

Abstract

We present VWAttacker, the first systematic testing framework for analyzing the security of Voice over WiFi (VoWiFi) User Equipment (UE) implementations. VWAttacker includes a complete VoWiFi network testbed that communicates with Commercial-Off-The-Shelf (COTS) UEs based on a simple interface to test the behavior of diverse VoWiFi UE implementations; uses property-guided adversarial testing to uncover security issues in different UEs systematically. To reduce manual effort in extracting and testing properties, we introduce an LLM-based, semi-automatic, and scalable approach for property extraction and testcase (TC) generation. These TCs are systematically mutated by two domain-specific transformations. Furthermore, we introduce two deterministic oracles to detect property violations automatically. Coupled with these techniques, VWAttacker extracts 63 properties from 11 specifications, evaluates 1,116 testcases, and detects 13 issues in 21 UEs. The issues range from enforcing a DH shared secret to 0 to supporting weak algorithms. These issues result in attacks that expose the victim UE's identity or establish weak channels, thus severely hampering the security of cellular networks. We responsibly disclose the findings to all the related vendors. At the time of writing, one of the vulnerabilities has been acknowledged by MediaTek with high severity.