Current LTE networks rely on packet switching, rather than the circuit switching of previous generations of the mobile network. The use of packet switching and the IP protocol (particularly the SIP protocol) may allow for new types of attacks not possible on previous generation networks. Such types of attacks are well-known in the security community; for example, see previous attacks against Voice over IP (VoIP). The following is a list of vulnerabilities discovered by the security researchers in some current implementations of LTE networks. Note that every carrier has its own implementation, and may not be vulnerable to every issue listed below.



CWE-732: Incorrect Permission Assignment for Critical Resource



The Android operating system does not have appropriate permissions model for current LTE networks; the CALL_PHONE permission can be overruled with only the INTERNET permission by directly sending SIP/IP packets. A call made in such a manner would not provide any feedback to the user. Continually making such calls may result in overbilling or lead to denial of service.



Apple reports that iOS uses a different permission model and is not affected by this particular issue.



CWE-284: Improper Access Control



Some networks allow two phones to directly establish a session rather than being monitored by a SIP server, thus such communication is not accounted for by the provider. This may be used to either spoof phone numbers or obtain free data usage such as for video calls.



CWE-287: Improper Authentication



Some networks do not properly authenticate every SIP message, allowing spoofing of phone numbers.



CWE-384: Session Fixation



Some networks allow a user to attempt to establish multiple SIP sessions simultaneously rather than restricting a user to a single voice session, which may lead to denial of service attacks on the network. An attacker may also use this to establish a peer-to-peer network within the mobile network.



Each provider/implementation of LTE may be vulnerable to one or more of the above issues.



More information is provided by Kim et. al. in their paper "Breaking and Fixing VoLTE: Exploiting Hidden Data Channels and Mis-Implementations" presented at ACM CCS 2015.