[edude03]

I don’t know anything about IMS but I assume they have to stay on the call long enough for the debug headers to be sent (like the tracing the call thing in every spy movie but real) and if that’s the case can this be mitigated by “just”* not answering calls from unknown numbers?

*yes I’m aware that means people you know who have your number could also exploit this

[andix]

I guess this information is already known to the network before the connection is even established. Those seem to be debugging headers, you probably need them for cases where the connection can't be established properly to debug why. If I understand the article correctly, the information is even there if the receiving phone is turned off, then you get the last known cell.

[dilyevsky]

IMS is just SIP core + bunch of gateways + integration with base LTE infra (eNodeB, PCRF, etc) so "signaling messages" are just SIP messages. So depending on whether those compromising headers were included on things like SIP 180 Ringing messages and such it may not be enough to not answer the calls. Source: actually worked on deploying IMS at a telco (not this one)

[mrjeeves]

The headers are included in every single downlink message after initiating a call, including the downlink SIP Invite message before 100 Trying, 180 Ringing or 183 Session Progress.

If you're quick enough (or automate this with dedicated software, like an attacker might actually do), it won't even need to ring out. It's really not good.

[dilyevsky]

that's wild. did you also try any callees connected to a different PLMN?