As mobile systems evolve from traditional telephony network architectures (e.g., 3G) to all-IP-based network architectures (4G, 5G, and beyond), the IP Multimedia Subsystem (IMS) was introduced to provide users with a variety of multimedia services—such as voice calls, video calls, SMS, and emergency communications. However, while it enriches daily communication over cellular networks, it also introduces new security threats to the mobile communication ecosystem.In this dissertation, we systematically investigate the vulnerabilities introduced by architectural shifts in mobile networks, spanning from user devices to network infrastructure: (1) on the device side, we analyze the negative impact of transitioning IMS client implementations from traditional hardware-based solutions (in cellular modems) to software-based applications on mobile phones. Our study reveals that this shift significantly expands the attack surface, enabling adversaries to hijack, spoof, or manipulate signaling and media data across various multimedia services; and (2) on the infrastructure side, we examine privacy leakage issues in voice calls over IMS. Although all voice packets and signaling messages are encrypted, the underlying transmission patterns remain observable, thereby leaking user privacy.There are three key lessons learned from our study. First, current IMS standards lack robust security protections for IMS signaling routing on phones. Thus, the common socket communication allows interprocess communication to the IMS client within the same mobile system. This architectural gap enables malware to easily intercept or forge IMS signaling between the IMS client and the IMS server. It enables attacks that can prevent mobile users from accessing multimedia services across all available radio access networks - including 4G, 5G, and Wi-Fi. It also allows adversaries to spoof SMS messages with arbitrary display names. Second, IMS video sessions lack encryption and integrity protection beyond the IP layer. As a result, even with radio and IP layer protection in place, it cannot safeguard the IMS video data on a compromised mobile device before sending it to the air. This opens the door for adversaries to hijack legitimate video streams. We demonstrate that the attacker can hijack video sessions as covert channels, completely bypassing operator-level monitoring and charging policy. Third, although 5G/4G voice calls are encrypted for security and privacy, we unveil that side-channel vulnerabilities persist. In particular, transmission patterns and signaling metadata can still leak sensitive information about 5G/4G call states. We demonstrate a Cross-domain Identity Linkage (CrossIL) attack that can link user identities to their cellular identities with a success rate of 89% to 98%, highlighting the need for deeper privacy-aware design in encrypted mobile voice services. Building on our findings and lessons learned, we propose innovative countermeasures that not only address the identified security vulnerabilities but also pave the way for enabling more reliable and resilient multimedia services over mobile networks.
Read
