[kjellsbells]

Also very curious how the call initiator was able to see the call control messages (ie SIP). Arent all these messages wrapped inside an encrypted GRE tunnel between handset and cell tower (and MME)? Being able to unpick GRE tunnel encryption would be a gigantic hole. Perhaps this only works because the OP is running analysis on their device, but even then I'm surprised that the pre-encryption payload is available.

[mrjeeves]

Hello, article editor here. Many Android devices with Qualcomm chips offer the option to expose a modem diagnostics port over USB meaning a rooted device isn't even needed. It's just much easier to use NSG rooted on-device than going around with a laptop places.

It's as simple as using Scat (https://github.com/fgsect/scat) with the modem diag port enabled to view all signalling traffic to/from the network.

[celsoazevedo]

They're using a rooted Android phone and an app called Network Signal Guru: https://play.google.com/store/apps/details?id=com.qtrun.Quic...

At least the free version of the app doesn't seem to "decrypt" anything, but it has root access and access to the modem, so it can read these logs. It can also disable bands and try to lock to a specific mast (like dedicated 4G/5G routers can), which is useful if you're trying to use mobile data as your main internet connection.

[immibis]

Right, so, that's the hacking tool they'll soon get prosecuted for using, while the problem will remain unfixed.

[kevvok]

Many operators do configure the SIP signaling for VoLTE to use an IPsec transport terminated at the P-CSCF, but most (if not all) of them only configure IPsec to provide integrity protection.

[tguvot]

i think you meant GTP tunnel. And GTP tunnel is between enodeb and core network. it's secured only in case that it run inside IPSEC.

[kjellsbells]

Doh! Yes, of course. Thank you

[kjellsbells]

^^edit: GTP.