subscribe
Source linked

Verizon VoLTEデプロイメントがSIPシグナリングを遮断にさらす

kb.cert.org@threat_watch2 hours ago·Cybersecurity·1 comments

IMSネットワークのトラフィックには、交渉されたIPsecの完全性保護が欠け、オンパス攻撃者が登録、通話設定、および緊急ルーティングを操作することを可能にします。

verizonapplekyung hee universityvoltesipipsec

Verizon IMS deployments have been observed transmitting SIP signaling without any negotiated integrity protection. During technical analysis, registration exchanges lacked Security-Client, Security-Server, and Security-Verify headers, while subsequent signaling—including INVITE, MESSAGE, BYE, and UPDATE—showed no evidence of ESP-encapsulated traffic.

Signaling Vulnerabilities Undermine VoLTE Security

This pattern of unprotected signaling persists across various devices and operating systems, indicating a deliberate network configuration rather than a transient error. According to 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the User Equipment (UE) and the P-CSCF must be protected using IPsec ESP following IMS AKA authentication. The absence of this mandatory protection allows on-path attackers to intercept, replay, or alter SIP messages without detection.

Such manipulation enables high-impact attacks, including call hijacking, identity spoofing, and denial-of-service. Most critically, attackers can manipulate emergency call routing, potentially misdirecting life-safety communications. While Apple's iOS 26.5 carrier bundle, released on May 11, 2026, included IMS IPsec-related settings, these configuration entries do not confirm that active deployment or successful negotiation is occurring in production environments.

Unconfirmed Mitigation and Ongoing Risk

Verizon initially acknowledged the issue, stating that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination efforts and has not provided verifiable evidence that the vulnerability has been mitigated. Without observable SIP security negotiation or ESP-protected traffic, the security exposure remains active.

Effective remediation requires Verizon to enable and enforce SIP security negotiation and ESP protection within its IMS core infrastructure. Simultaneously, mobile devices must correctly apply carrier configurations to support this IPsec layer. Until these protections are verified through traffic capture or official confirmation, organizations relying on high-assurance VoLTE should treat all signaling as untrusted.

Source: VU#615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments
Domain: kb.cert.org

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Appsmith SQL Autocomplete Vulnerability Enables Privilege Escalation via Malicious Table Names

A stored XSS vulnerability in Appsmith's CodeMirror-based SQL editor allows developers to hijack administrator sessions by injecting payloads into database object names.

Meta's AI Support Bot Exploited to Hijack High-Value Instagram Accounts

Hackers tricked Meta's conversational AI into resetting passwords for accounts including the Obama White House, leveraging a flaw in the bot's automated recovery workflow.

MOIS Uses Handala Brand to Recruit Physical Attackers

Iran's Ministry of Intelligence is leveraging the global recognition of the 'Handala' brand to solicit individuals for physical espionage and violent attacks against US and Israeli interests.

Two-Qubit System Produces Certified Randomness for Secure Keys

A Swiss team entangled two qubits 30 m apart, ran 1.5 billion Bell tests, and produced truly random numbers-potentially the first practical source of quantum-verified randomness for encryption.

Comments load interactively on the live page.