For years, carriers have been moving toward a new system to let voice calls travel over data networks — a system known as Voice-over-LTE or VoLTE. It makes sense for infrastructure, since combining the two networks will mean more bandwidth for everyone. It's also an upgrade for consumers, enabling HD voice calls, background LTE data during a call, and features like video calling down the road. But implementing it has been more complicated than it sounds, and as consumers are finally getting VoLTE service from Verizon, AT&T, and T-Mobile, researchers are finding unexpected flaws in the system.

In a presentation last week at the ACM CCS security conference, a UCLA researcher named Guan-Hua Tu laid out the problems, specific to two major carriers that he declined to name for security reasons. Tu's research shows how much damage a bad actor can do with a rooted phone and a linked computer, disguising regular traffic to look like the new VoLTE protocols. Exploiting that vulnerability, Tu was able to dodge data charges, shut down a target's data connection with a DDoS-like attack, or drive a victim's data charges through the roof.

The attacks work entirely within the cell network

Those vulnerabilities hint at some of the underlying problems with sending voice and data through the same channels. The current VoLTE and cellular standards split data into three channels: conventional cellular data, a higher priority channel for voice calls, and the highest priority channel for the data packets that coordinate those calls, also known as "signal headers." Distributing the data into those channels usually happens at a hardware level, but Tu was able to get around those protections, smuggling data packets into the wrong channels and opening the door for all sorts of exploits.

Tu’s attacks work entirely within the cell network, setting them apart from normal internet-based exploits and letting them bypass traditional operator firewalls. The result for most exploits would be a simple loss of service, as high-priority signal traffic crowds out everything else arriving on the phone.

The networks have already fixed some of those exploits, particularly the data DDoS attack, and the remaining vulnerabilities are more nuisances than serious concerns. Both carriers are vulnerable to a "voice DoS," shutting down a conversation mid-call with a flood of signal bearers. One of the carriers is also vulnerable to free data and overbilling attacks. In practice, any of the attacks could be spotted and shut down by a network operator, but carriers would have to notice and actively respond, and the underlying vulnerabilities remain.

Many of the problems can't be fixed without changing the nature of VoLTE itself

Many of the problems can't be fixed without changing the nature of VoLTE itself. The FCC requires voice data to take precedence over regular data, since the system needs to deliver the same call quality as traditional cell service. That can't happen if calls drop with every background app update. But since the tiering system has to be interoperable between carriers, it relies on clear signals that can be reverse-engineered, opening the door for exploitation by researchers like Tu.

Tu is still lobbying for broader changes to be made, but the system is so distributed that it will be difficult to solve entirely. Carriers can monitor the networks more closely, but they can't change VoLTE protocols on their own, or change the hardware and software running on the average phone. "The ultimate solution calls for concerted efforts among carriers, standards, mobile operating systems, and chipset vendors," Tu says. "It cannot be done in a short time."