A PAPER WORK

On

“Security Issues and Challenges in IMS”

SUBMITTED TO

MIT PUNE’s
MIT SCHOOL OF TELECOM MANAGEMENT

BY

DIVYA JAGWANI
PRN : 091049
Batch : 2009-2011

IN PARTIAL FULFILLMENT OF
POST GRADUATE DIPLOMA IN MANAGEMENT (PGDM)

MIT PUNE’s
MIT SCHOOL OF TELECOM MANAGEMENT
(MITSOT), PUNE
 Security Issues and Challenges in IMS
Divya Jagwani
MIT School Of Telecom & Management
Pune, Maharashtra 411052 India
[email protected]

Abstract— In this paper i have covered many aspects of is a global standard that defines a generic architecture for
Security and potential threats faced by IMS offering VoIP and other multimedia services over the Internet,
technology.The most challenging thing faced by today's independent of access type – whether it is cellular (GPRS, 1x),
network operators is to meet subscribers exploding WLAN (WiFi), wireless broadband (WiMAX, EVDO Rev A,
demand and rapid growth of broadband Internet,and the HSPA) or wireline broadband (xDSL, Cable, FTTx). And
only appropriate solution offered by them is to offer new since IMS protocols are based on the open IETF(The IETF is
multimedia services anywhere, anytime. The IMS (IP the standardization body that has developed most of the
Multimedia Subsystem) is the technology that will merge protocols that are currently used on the Internet. The IETF
the Internet with the cellular world provide enriched does not standardize networks, architectures combining
srvices that enable subscribers to collaborate and different protocols, the internal behavior of nodes, or APIs
comunicate in real time. Such a resource is a valuable (Application Programming Interfaces). The IETF is the
asset and is creating a new level of security needs for the protocol factory for IP-related protocols) SIP specifications,
network operator that go beyond anything that has been any IMS network device can take advantage of the exploding
traditionally deployed. SIP adoption by other IP phones, adapters and soft clients.

The paper covers many security issues and solutions to IMS is also expected to bring the strengths of wireless and
prevent IMS network from malacious attacks.The paper is fixed-line worlds together. In 3GPP’s words: “The IMS
organized as follows. The next section provides an should enable the convergence of, and access to, voice,
overview of the IMS architecture with specific video, messaging, data and web-based technologies for the
consideration given to security and at last with suggested wireless user, and combine the growth of the Internet with
solutions to potential security threats. the growth in mobile communications.”
The 3rd Generation Partnership Project (3GPP) creates
Keywords: IMS; IMS Architecture; IMS vulnerabilities; security standards for those parts of the system that need to be
Potential Threats; Security Solutions standardized, never intending to standardize security
alternative available to carriers for IMS. What 3GPP
I. INTRODUCTION standardizes are security protocols between terminal and
IP Multimedia Subsystem (IMS) is a rapidly developing network, and interfaces between network elements so they can
standard that is meant to deliver multimedia applications interoperate. 3GPP also writes guidelines for others helping
through multiple wireless and wireline networks. them to secure IMS.
IP Multimedia Subsystem is a Session Initiation Protocol
(SIP)-based IP Multimedia infrastructure that provides a The three main features provided by IMS are :-
complete architecture and framework for real-time and non-
real-time IP multimedia services on the top of Packet 1.) 1.) QoS (Quality of Service) :- The main drawback with the
Switched (PS) core while still preserving the Circuit Switched packet-switched domain was that, the network does not
(CS) telephony services. IMS provides the necessary IMS provide any assurance about the amount of bandwidth a
Capabilities: service control, security functions (e.g. user gets for a particular connection and the amount of
authentication, authorization), routing, registration, SIP delay a connection is going to experience, in short offer
compression and QoS support, charging. IMS is a part of best-effort services without QoS and thus the quality of
standardization work for 3G mobile phone systems in UMTS VoIP conversation affects considerably. So, one of the
networks. It is the topic that turned upside down the reasons for creating the IMS was to provide the QoS
telecommunication world, that is meant to deliver multimedia required for enjoying, rather than suffering, real-time
applications through multiple wireless and wireline networks. multimedia sessions. The IMS takes care of synchronizing
The IP Multimedia Subsystem (IMS), first specified by the session establishment with QoS provision so that users
Third Generation Partnership Project (3GPP/3GPP2), is a key have a predictable experience.
enabler and service-delivery platform for these services. IMS
 2.) Charging :- Unlike traditional charging systems, most of the signaling interfaces in the IMS, typically
another reason for creating the IMS was to be able to referred to by a two or three-letter code. We do not include
charge multimedia sessions appropriately, in which since all the interfaces defined in the IMS, but only the most
operators typically charge based on the number of bytes relevant ones.
transferred.. A user involved in a videoconference over the
packet-switched domain usually transfers a large amount On one side of Figure we can see the IMS mobile
of information (which consists mainly of encoded audio terminal, typically referred to as the User Equipment (UE).
and video).. The user’s operator cannot follow a different The IMS terminal attaches to a packet network, such as the
business model to charge the user because the operator is GPRS network, through a radio link. Note that, although
not aware of the contents of those bytes: they could belong the figure shows an IMS terminal attaching to the network
to a VoIP session, to an instant message, to a web page, or using a radio link, the IMS supports other types of devices
to an email. and accesses. PDAs (Personal Digital Assistants) and
On the other hand, if the operator is aware of the actual computers are examples of devices that can connect to the
service that the user is using, the operator can provide an IMS. Examples of alternative accesses are WLAN or
alternative charging scheme that may be more beneficial ADSL. The remainder of Figure shows the nodes included
for the user. For instance, the operator might be able to in the so-called IP Multimedia Core Network Subsystem.
charge a fixed amount for every instant message, These nodes are:
regardless of its size. Additionally, the operator may 1. one or more user databases, called HSSs (Home
charge for a multimedia session based on its duration, Subscriber Servers) and SLFs (Subscriber
independently of the number of bytes transferred. Location Functions);
The IMS does not mandate any particular business 2. one or more SIP servers, collectively known as
model. Instead, it lets operators charge as they think more CSCFs (Call/Session Control Functions);
appropriate. The IMS provides information about the 3. one or more ASs (Application Servers);
service being invoked by the user, and with this 4. one or more MRFs (Media Resource Functions),
information the operator decides whether to use a flat rate each one further divided into MRFC (Media
for the service, apply traditional time-based charging, Resource Function Controllers) and MRFP
apply QoS-based, or perform any new type of charging. (Media Resource Function Processors);
As a clarification, by service, in this charging context, we
refer to any value offered to the user (e.g., a voice session,
an audio/video session, a conference bridge, an instant
message, or the provision of presence information about
co-workers).

Integration of services:- Providing integrated services to

users is the third main reason for the existence of the IMS.
Although large equipment vendors and operators will
develop some multimedia services, operators do not want to
restrict themselves to these services. Operators want to be
able to use services developed by third parties, combine
them, integrate them with services they already have, and
provide the user with a completely new service. For
example, an operator has a Voicemail service able to store
voice messages and a third party develops a text-to-speech
conversion service. If the operator buys the text-to-speech
service from the third party, it can provide voice versions of
incoming text messages for blind users. The IMS defines
the standard interfaces to be used by service developers.
This way, operators can take advantage of a powerful multi-
vendor service creation industry, avoiding sticking to a
single vendor to obtain new services.
Fig : 3GPP IMS Architecture Overview

II. OVERVIEW OF IMS ARCHITECTURE 5. one or more BGCFs (Breakout Gateway Control
Functions);
1. IMS architecture 6. one or more PSTN gateways, each one
The below figure depicts an overview of the IMS decomposed into an SGW ( Signalling
architecture as standardized by 3GPP. The figure shows Gateway), an MGCF (Media Gateway
 Controller Function), and an MGW(Media
Gateway).

IMS REQUIREMENTS

IMS aims to :
1. combine the latest trends in technology;
2. make the mobile Internet paradigm come true;
3. create a common platform to develop diverse
multimedia services;
4. create a mechanism to boost margins due to
extra usage of mobile packet-switched networks.

In these requirements the IMS is defined as an architectural

framework created for the purpose of delivering IP
multimedia services to end-users. This framework needs to Having functional entities separated by IP reference points
meet the following requirements. ensures interoperability between vendor equipment,
• Support for establishing IP Multimedia application flexibility and the reuse of common components
Sessions. Support for a mechanism to negotiate for any type of multimedia services that may arise over time.
Quality of Service (QoS). However, this architecture has its own set of drawbacks.
• Support for interworking with the Internet Distributing core network functions that are connected
and circuit-switched networks. together over IP ultimately means more opportunity to break
• Support for roaming. the architecture from a security perspective.
• Support for strong control imposed by the
operator with respect to the services delivered to the With IMS, operators can offer many real-time communication
end-user. services for virtually any device over any Internet access
• Support for rapid service creation without network for the first time. What really discourages the users is
requiring standardization the issue of securing an IMS network. Its architecture proves
to be vulnerable, first of all because security specifications are
III. SECURITIES completely lacking. like any application offered over the
Internet, these IMS networks and devices are now subjected to
Security Issues threats from worms, viruses, denial of service, spam, phishing,
IMS’ three-layered architecture for separate application, and theft.
control and transport functions allows for an open IP-based
communications platform rather than a monolithic, closed Some companies such as Verizon Wireless have proceeded to
architecture (see Figure 1). This approach decouples the develop up-gradings to IMS (A-IMS) in order to exclude the
service delivery components from the physical network, gaps in IMS. Sipera Systems organization (VoIP products
making it possible for services to be independent of the manufacturer) has authored an article in a monthly industry
network over which they are delivered — with the goal of periodical which contained a list of unique and inherited
reducing the service provider’s cost of developing services vulnerabilities of IMS. There have been identified about 90
and deploying those services faster, across more access unique vulnerabilities and over 20,000 potential attacks to be
networks and to broader markets. launched against IMS networks. It will be fair to mention that
these lacks are something common to IP data and VoIP
networks as well.

IMS Vulnerabilities :-
As mentioned at the outset, IMS and SIP enable a rich set of
converged services, but, at the same time, open up networks to
a host of known IP-based vulnerabilities, which can often be
addressed by existing firewalls, and also to a completely new
set of IMS application vulnerabilities. In fact, in the last three
years, the Sipera VIPER™ (Voice over IP Exploitation
Research) Lab has identified over 20,000 attacks that can be
launched against IMS networks..
Securing IMS
Securing IMS is a very tough task. To build an attack
mechanism for IMS is quite easy and inexpensive. The
potential threats for the IMS networks are as follows.the more
prevalent and potentially damaging application level threats
that can be used to attack the core infrastructure and take
down the service or used to attack the end-users are:

Potential Threats:- multiple locations (DDoS). Typically, the flood of

incoming messages is well beyond the processing
capacity of the target system, quickly exhausting its
1. A threat against availability is a threat against resources and denying services to its legitimate users.
service availability that is supposed to be running
24/7. That is, the threat is aiming at VoIP service
interruption, typically, in the form of DoS. The
examples are call flooding, malformed messages
iv) Stealth Floods: Stealth attacks are those in which
(protocol fuzzing), spoofed messages (call teardown, one or more specific end-points are deliberately
toll fraud), call hijacking (registration or media attacked from one (DoS) or more (DDoS) sources,
session hijacking), server impersonating, and QoS although at a much lower call volume than is
abuse. characteristic of flood type attacks. Detection of
stealth attacks is vital for VoIP systems, as they have
i) Protocol Fuzzing can also make IMS networks the potential to be far more annoying than what we
vulnerable, though it is used to test applications. It are familiar with in the data world. IMS security
works by sending semi-valid input to determine how solutions must be more sophisticated and use
the application reacts, and then fixing it if necessary. different techniques to protect against stealth and
. Malicious users will send messages whose content, VoIP spam.
in most cases, is, on the surface, good enough that
the target will assume it’s valid. In reality, the
message is “broken” or “fuzzed” enough that when
v) Hackers & Frauds: are the major danger for IMS
the target system attempts to parse or process as they can use specifications and other components
it,various failures result. These can include published as open source software on the official
application delays, information leaks, and even 3GPP web site. Hackers can write scripts to read IMS
catastrophic system crashes. SIM cards to gain access to the IMS network.

ii) Fuzzed messages can easily be transmitted using This is why securing IMS is a very difficult work to
encrypted and authenticated traffic, all the way to the do. Once hackers gain access to an IMS network and
IMS core. Existing security devices do not generally servers, they can commence toll fraud by acting as a
have the ability to decrypt the traffic at wire speeds, gateway between the local PSTN and the IMS
and look at all the details of the protocol (header, network, similar to last year’s publicized, million
body, content, etc.) to make sure there is no dollar toll fraud exacted on several VoIP networks.
malicious intent, and therefore cannot protect against
some of the most damaging attacks towards the vi) Building an Attack Tool is Easy : Compounding
infrastructure. the issue of threats is the fact that building an attack
vector takes very little investment in terms of time or
money. The required components are available free
of charge, as open-source software and all the
iii)Flood DoS and Distributed Floods: Flood DoS and required specifications are publicly available at the
DDoS attacks are those attacks whereby a malicious 3GPP website. Hackers, in a few days, can easily
user deliberately sends a tremendously large amount write scripts required to read U/I-SIM cards, which
of random messages to one or more core network are easily acquired and can be used to launch various
elements from either a single location (DoS) or from attacks.

2. A threat against confidentiality does not impact

DoS Flood attack on a single end-point current communications generally, but provides an
unauthorized means of capturing conversations,
identities, patterns, and credentials that are used for
the subsequent unauthorized connections or other

End-
Mala Poin
ciou t
s (SIP
User Pho
ne)
 deceptive practices. VoIP transactions are mostly typical examples are call rerouting, call black holing,
exposed to the confidentiality threat because most media injection, and media degrading.
VoIP service does not provide full confidentiality
(both signal and media) end-to-end. The threat
examples are eavesdropping media, call pattern i) Message Alteration: Message alteration is the threat
tracking, data mining, and reconstruction. that an attacker intercepts messages in the middle of
communication entities and alters certain information
i) Reconstruction: Reconstruction means any to reroute the call, change information, interrupt the
unauthorized reconstruction of voice, video, fax, text, service, and so on. The typical examples are call
or presence information after capturing the signals or rerouting and black holing.
media between parties. The reconstruction includes
monitoring, recording, interpretation, recognition, and ii) Media Alteration: Media alteration is the threat that an
extraction of any type of communications without the attacker intercepts media in the middle of
consent of all parties communication entities and alters media information to
inject unauthorized media, degrade the QoS, delete
ii) Data Mining: The general meaning of data mining in certain information, and so on. The media can be
VoIP is the unauthorized collection of identifiers that voice-only or integrated with video, text, fax, or image.
could be user name, phone number, password, URL, The typical examples are media injection and
email address, strings or any other identifiers that degrading
represent phones, server nodes, parties, or
organizations on the network.

iii)Eavesdropping Media: Eavesdropping on someone's

conversation has been a popular threat since
4. A threat against social context focuses on how to
manipulate the social context between
telecommunication service started a long time ago,
communication parties so that an attacker can
even though the methods of eavesdropping are
misrepresent himself as a trusted entity and convey
different between legacy phone systems and VoIP
false information to the target user. The typical
systems.
examples are misrepresentation (identity, authority,
rights, and content), voice spam, instant message
iv) Call Pattern Tracking: Call pattern tracking is the spam, presence spam, and phishing.
unauthorized analysis of VoIP traffic from or to any
specific nodes or network so that an attacker may
find a potential target device, access information
(IP/port), protocol, or vulnerability of network. It
could also be useful for traffic analysis—knowing ι ) Misrepresentation: Misrepresentation is the
who called who, and when. intentional presentation of a false identity, authority,
rights, or content as if it were true so that the target
user (victim) or system may be deceived by the false
v) Rogue devices: Smart device proliferation and new information. These misrepresentations are common
access capabilities including USB, Bluetooth and elements of a multistage attack, such as phishing
downloadable software, devices themselves can
inadvertently pose a great risk to IMS networks. • Identity misrepresentation
These devices can be recruited by hackers as bots on • Authority or rights
the Internet, to proliferate attacks deep into IMS • Content misrepresentation
networks and applications.
ιι) VoIP Spam: VoIP spam or Spam-over-
Internet Telephony (SPIT) is unsolicited and
unwanted bulk messages broadcast over the IMS
3. A threat against integrity is altering messages network. In addition to being annoying and having
(signals) or media after intercepting them in the the potential to significantly impinge upon the
middle of the network. That is, an attacker can see availability and productivity of the end-point
the entire signaling and media stream between resource, high-volume bulk calls routed over IP are
endpoints as an intermediary. The alteration can often times very difficult to trace, and have the
consist of deleting, injecting, or replacing certain inherent capacity for fraud, unauthorized resource
information in the VoIP message or media. The use and privacy violations. VoIP spam attacks can be
 launched like stealth attacks cited above, and target In this technique fingerprint-based anti-virus
subscribers of IMS services. software detects malicious code by searching for tens
of thousands of digital fingerprints in all scanned
files, disks and network transmissions. Each
fingerprint is a short sequence of bytes extracted
from the body of a specific virus strain. If a given
fingerprint is found, the content is reported as
infected. One of the techniques used to assign a score
is a pattern signature. This approach is that it requires
a special lab with spam traps, so that they can attract
as much undesired email as possible. Next there is a
need for humans armed with some analysing tools,
who go over the undesired email and extract
signatures which are then distributed to the
customers (usually via very frequent product
domains).The main disadvantage of this approach is
the huge delay between the spam or virus or phishing
outbreak and the time the customers receive a
signature update, which will allow to filter out those
unwanted messages. And since anti-virus fingerprints
ιι ι) Phishing: It is an act of illegaly making an are based on known sequences of bytes from known
attempt to obtain somebody's personal information infections, this technique often fails to detect new
(for example, ID, password, bank account number, strains.Another disadvantage is those signatures
credit card information) by posing as a trust entity in aren't perfect, i.e. they may assign a high SPAM-
the communication. In VoIP, phishing is typically email score to a totally legitimate email, what's
happening through voice or IM communication, and known as a false-positive.
voice phishing is sometimes called "vishing."
3. Behavioural learning
In this a set of established rules that define a program
as either legitimate, or malicious - a virus, worm or
ιϖ) Rogue devices: s Smart device proliferation
Trojan is created. If the analyzed code breaks one of
and new access capabilities including USB,
the legitimate rules or fits into a pre-defined profile
Bluetooth and downloadable software, devices
established as "malicious," the code or application is
themselves can inadvertently pose a great risk to IMS
flagged as a threat Once if a program with a
networks. These devices can be recruited by hackers
malacious behaviour is detected, it is blocked in run-
as bots on the Internet, to proliferate attacks deep into
time
IMS networks and applications.
Policy and Expert-based Systems
Existing behavior blocking systems can be split into
two categories: policy-based blocking systems and
expert-based blocking systems.
Solutions: Policy-based systems: It allow the administrator to
explicitly specify certain rules which specifically
1. Protocol Scrubbers: Protocol scrubbers are specifies, the behaviors to be allowed and which
transparent, active interposition mechanisms for behaviours to be blocked. Each time a program
explicitly re-moving network scans and attacks at makes a request to the operating system, the behavior
various protocol layers. The transport scrubber blocker intercepts the request, consults its policy
supports downstream passive network-based database and either allows the request to proceed, or
intrusion detection systems by converting ambiguous blocks the request entirely.
network flows into well-behaved flows that are In contrast to policy-based systems, expert-
unequivocally interpreted by all down-stream based systems employ a more opaque method of
endpoints. The fingerprint scrubber restricts an operation. In these systems, the experts have studied
attacker's ability to determine the operating system of the entire classes of malicious code and then
a protected host. designed their behavior blocking systems to
recognize and block suspicious behaviors. Under
2. Anti-SPAM Techniques: Heuristic/Signature- some circumstances a would-be dangerous behavior
based Content Filtering is allowed, and under others, it is blocked.
 4. Network level intelligence: time, IP communications applications continued to increase,
In this, it has a network level intelligence node and together with the increase in attack sophistication. And
several other security nodes.The main purpose of therefore the traditional security methods are just not enough
security nodes is to constantly update the intelligent to provide secure user transactions and are creating a new
node about various formatted events, which then level of security requirements for IMS applications. As IMS
collect and correlate multiple events and activities applications and specifications are easily available as an open
from different nodes and end-points in the network source documents on 3GPP official website, it requires a
and through their reported alarms accurately detect higher level of security such as VoIP security methodologies,
attacks which otherwise might have escaped such as behavioural learning, anomaly detection, better
unnoticed if reported only by a single point in the prevention from VoIP spam, Policy based filtering. Together,
network, and then pass this attack information back all these solutions will proactively protect the IMS network
to security nodes to take proper action to protect their from unauthorized attacks, misuse and service abuse which
network. This capability can inspect the sequence networks and end-users face today and in the future.
and content of messages to detect protocol anomalies
and any instances of end-point scanning. REFERENCES
5. Other solutions can be:
a. complete protection with real-time 1. http://www.sipera.com/.
performance; and with easy deployment and 2. DARPA Information Survivability Conference and
not a point of failure; Exposition (DISCEX II'01)Volume II-Volume 2
b. effective handling of VoIP spam through 3. Protocol Scrubbing: Network Security through
VoIP Turring; Transparent Flow Modification
c. interoperability with major VoIP 4. IMS Security – Sipera Has Solution For A New
infrastructure vendors Problem - VoIP News.mht
5. [3] 3GPP. Security aspects of early IP multimedia
subsystem (IMS) (release 7). Technical Report
IV. CONCLUSIONS 6. [4] Bob Bellman. Exploring IMS security
The purpose of this paper is to provide an solutions with the mechanisms. Business Communications Review,
capability to secure IMS resources. As with continuous January
improvement and innovations in technologies, the probability 7. Best Behavior Against Evolving Threats by
of malicious attacks and service abuse of VoIP and other real- Christopher Bolin
8. VoIP Security Threats Pdf