The Untold Secrets Of WiFi-Calling Services .
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2995509, IEEETransactions on Mobile Computing1The Untold Secrets of WiFi-Calling Services:Vulnerabilities, Attacks, and CountermeasuresTian Xie, Guan-Hua Tu, Bangjie Yin, Chi-Yu Li, Chunyi Peng, Mi Zhang, Hui Liu, Xiaoming LiuAbstract—Since 2016, all of four major U.S. operators have rolled out Wi-Fi calling services. They enable mobile users to placecellular calls over Wi-Fi networks based on the 3GPP IMS technology. Compared with conventional cellular voice solutions, the majordifference lies in that their traffic traverses untrusted Wi-Fi networks and the Internet. This exposure to insecure networks can causethe Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them aresupported by the IMS. They include SIM-based security, 3GPP AKA, IPSec, etc. However, are they sufficient to secure Wi-Fi callingservices? Unfortunately, our study yields a negative answer. We conduct the first security study on the operational Wi-Fi callingservices in three major U.S. operators’ networks using commodity devices. We disclose that current Wi-Fi calling security is notbullet-proof and uncover three vulnerabilities. By exploiting the vulnerabilities, we devise two proof-of-concept attacks: telephonyharassment or denial of voice service and user privacy leakage; both of them can bypass the existing security defenses. We haveconfirmed their feasibility using real-world experiments, as well as assessed their potential damages and proposed a solution toaddress all identified vulnerabilities.Index Terms—Wi-Fi calling, security and privacy, computer vision recognition, and cellular network.!1I NTRODUCTIONSI nce 2016, all the four major operators in the U.S.,namely T-Mobile, AT&T, Verizon and Sprint, havelaunched nationwide Wi-Fi calling services [1]. The Wi-Ficalling technology, also known as VoWiFi (Voice over WiFi), is supported by the 3GPP IMS (IP Multimedia Subsystem) system [2]. It provides mobile users with cellularcalls and text messages through home/public Wi-Fi accessnetworks instead of cellular base stations. It is an alternativevoice solution for mobile users that connect to the basestations with weak signals. Globally, there had been 98cellular network operators offering Wi-Fi calling services in52 countries [3] until February 2019. According to a recentindustry report [4], the trends that about 71% of mobile datawill go through Wi-Fi networks and about 80% of mobileusers will use Wi-Fi to access the Internet, will result in arising demand for the Wi-Fi calling market. The market isforecasted to grow at 27.24% CAGR (Compound AnnualGrowth Rate) to over 8 billion U.S. dollars by 2025 from1.92 billion in 2020. With such rapidly growing market, anysecurity loopholes of Wi-Fi calling may lead to devastatingconsequences on a global scale. Therefore, there is a criticalneed to investigate the security of Wi-Fi calling.Wi-Fi calling uses SIP (Session Initiation Protocol) for thecall signaling as conventional VoIP (Voice over IP) services T. Xie, G.-H. Tu, B. Yin, H. Liu, and X. Liu are with the Department of Computer Science and Engineering, Michigan State University,East Lansing, MI, 48825. E-mail:{xietian1, ghtu, yinbangj, liuhui7,liuxm}@msu.edu.M. Zhang is with the Department of Electrical and Computer Engineering, Michigan State University, East Lansing, MI, 48825. Email:mizhang@msu.edu.C.-Y. Li is with the Department of Computer Science, National ChiaoTung University. E-mail:chiyuli@cs.nctu.edu.twC. Peng is with the Department of Computer Science, Purdue University,West Lafayette, IN, 47907. E-mail:chunyi@purdue.edudo, but differs from them technically. Its SIP signaling operation is a 3GPP-specific version [5], [6]. For security reasons,both 3GPP and GSMA stipulate that Wi-Fi calling shalluse well-examined SIM-based security and authenticationmethods as VoLTE has. They mainly include the protectionof secret keys in a physical SIM card and the 3GPP AKA(Authentication and Key Agreement) [7] authentication. Inaddition, all the Wi-Fi calling packets, which may be sentthrough insecure networks, shall be delivered via the IPSec(Internet Protocol Security) channels using ESP tunnel modebetween Wi-Fi calling devices and the cellular networkinfrastructure. Although the packets are protected by theIPSec tunnels, the Wi-Fi calling service may still suffer fromDoS (Denial-of-Service) attacks where the packets are maliciously dropped en route. However, such DoS attacks can beprevented by the inter-system switch security mechanismof Wi-Fi calling, which switches a Wi-Fi calling user backto the cellular-based voice/text service when the user isunreachable through Wi-Fi.When adopting the conventional security mechanismswhich have been well studied in VoLTE [10], [11], Wi-Ficalling seems to be as secure as VoLTE. Unfortunately, itis not the case. We discover three security vulnerabilitiesfrom all the Wi-Fi calling services deployed by three cellularnetwork operators in the U.S. and two operators in Taiwan,which are denoted as US-I, US-II, US-III, TW-I, and TW-II,respectively. First, the 3GPP WLAN (Wireless Local AreaNetwork) selection mechanisms, which are used to select aWi-Fi network for the Wi-Fi calling device, do not preventdevices from connecting to insecure Wi-Fi networks (V1),which may impede the Wi-Fi calling service. Second, theWi-Fi calling traffic, which is protected by IPSec, is vulnerable to side-channel inference attacks (V2), which may causeprivacy leakage. Third, the service continuity mechanismbetween Wi-Fi calling and cellular-based voice services may1536-1233 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information.Authorized licensed use limited to: Michigan State University. Downloaded on November 23,2020 at 01:05:28 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2995509, IEEETransactions on Mobile Computing2CategoryVulnerabilityTypeRoot CauseDeviceV1: the WLAN selection mechanisms ofWi-Fi calling devices do not prevent thedevices from connecting to insecure Wi-Finetworks.Design defectThe 3GPP standard [1], [8] considers only the radio quality ofavailable Wi-Fi networks without any security measures in theWLAN selection (Section 4.1).V2: the Wi-Fi calling traffic is vulnerable toside-channel inference attacks.Operation slipV3: the service continuity mechanism between Wi-Fi calling and cellular-basedvoice services may not take effect whenneeded.Design defectInfrastructureThe IPSec sessions between Wi-Fi calling devices and the corenetwork carry only the Wi-Fi calling traffic, so its traffic patternscan be learned to infer various Wi-Fi calling events (Section 4.2).The service continuity mechanism based on an inter-systemswitch [1], [2], [9], which keeps a call service continue acrossdifferent radio access technologies, considers only radio qualitybut not service quality (Section 4.3).TABLE 1Summarizing the identified security vulnerabilities of the Wi-Fi calling services.not take effect (V3), even when the service quality of a WiFi calling call is so bad that its voice is almost muted. Eachof these vulnerabilities can be attributed to a design defectof the Wi-Fi calling standard or an operational slip of thecellular network. Table 1 summarizes the vulnerabilities andtheir root causes.We exploit the three vulnerabilities to devise two proofof-concept attacks, namely (1) telephony harassment or denial of voice service attack (THDoS) and (2) user privacyleakage. These two attacks can bypass the existing securitymechanisms on the Wi-Fi calling devices and the cellularnetwork infrastructure. In the first attack, we devise fourattack variants that harass Wi-Fi calling users or get themdenial of voice services. In the second attack, we developa user privacy inference system (UPIS) that incorporatesthe face recognition technique in computer vision with theexploitation of those vulnerabilities. The UPIS system candisclose the privacy of a Wi-Fi user, including user identity,call statistics, and the device’s IP address. Particularly, thecall statistics have been proven effective in inferring a user’spersonality [12] (e.g., conscientiousness), mood [13] (e.g.,stressful), and behavior [14] (e.g., dialing spamming calls).With the inferences of the device’s IP address and the useridentity of a Wi-Fi calling user, adversaries can discoverthe user’s device model, Internet activities (e.g., accessingCNN.com), and the device’s running applications by analyzing his/her packets. Note that different from traditionalSIP attacks [15]–[17], the proposed attacks not only needto identify particular Wi-Fi calling signaling messages fromencrypted 3GPP-specific SIP packets [5], [6], but also have tobypass/suppress cellular-specific security mechanisms suchas the inter-system switch mechanism that keeps the Wi-Ficalling service continuity.We finally propose a solution, Wi-Fi Calling Guardian,to address these security threats, without requiring anymodifications to Wi-Fi calling standards, which is unlikelyto be achieved in a short time. In summary, this paper makesfour key contributions. We conducted the first security study to explore the darkside of operational Wi-Fi calling services in five operationalcellular networks in the U.S. and Taiwan using commoditydevices. We identified three Wi-Fi calling vulnerabilities,each of which roots in a design defect of the Wi-Fi callingstandard or an operational slip of the operators.We devised two proof-of-concept attacks by exploitingthe identified vulnerabilities and assessed their negative4G LTE Core NetworkRANS5Serving-GWeNodeBMMETrusted Wi-FiTWAGS6aHSSIMSServersSWxUESTaAAASWmIPsec ChannelUntrusted Wi-Fi ESP Tunnel ModeePDGS2bPDN-GWSGiFig. 1. The 4G LTE network architecture that supports the Wi-Fi callingservice [9].impacts in a responsive manner.We developed a practical solution, Wi-Fi Calling Guardian,to address the identified vulnerabilities. Our experimentsconfirm that it can protect the Wi-Fi calling users from theproposed security threats. We actively reported and demonstrated the security threatsto the industry, and received a positive feedback. Specifically, the security team of Google Android has confirmedour findings and promised to address the vulnerabilitythat coming from the device. Our research result can thusbenefit billions of Android phone users.The rest of the paper is organized as follows. Section 2presents the background of the Wi-Fi calling technology.Section 3 describes the threat model, methodology, andethical considerations of this present study. Section 4 discloses the Wi-Fi calling vulnerabilities. Sections 5 and 6present and evaluate two proof-of-concept attacks, namelythe THDoS and user privacy leakage attacks, respectively.We propose a solution and evaluate it in Section 7. Section 8presents related work, and Section 9 concludes this paper. 2W I -F I CALLING P RIMERIn this section, we introduce the network architecture andthe voice call flow of the Wi-Fi calling services.Network architecture: Figure 1 illustrates a simplified network architecture that supports both the Wi-Fi calling andVoLTE services. The UE (User Equipment), where the Wi-Ficalling and VoLTE applications are installed, connects to thesimilar network infrastructure including the RAN (RadioAccess Network) and the CN (Core Network). For the RAN,VoLTE and Wi-Fi calling employ the eNodeB (Evolved NodeB) and the Wi-Fi network, respectively. The 3GPP standard [18] classifies the Wi-Fi network into two types, namelytrusted and non-trusted. For a cellular network operator, the1536-1233 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information.Authorized licensed use limited to: Michigan State University. Downloaded on November 23,2020 at 01:05:28 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2995509, IEEETransactions on Mobile Computing3CallerWi-Fi calling ServerCalleethen the other end acknowledges it with a 200 OK message.1. INVITE2. 100 Trying3. 183 Session4. PRACK5. 200 OK6. 180 Ringing7. PRACK8. 200 OK9. 200 OK10. ACK11. Voice Packets13. 200 OK12. BY12BYEEFig. 2. Wi-Fi calling call flow diagram.Wi-Fi networks deployed by itself are considered trusted,whereas the others are non-trusted.The CN consists of eight main components: the S-GW(Serving Gateway), the PDN-GW (Public Data NetworkGateway), the IMS (IP Multimedia Subsystem) servers,the TWGA (Trusted Wireless Access Gateway), the ePDG(Evolved Packet Data Gateway), the HSS (Home SubscriberServer), the MME (Mobility Management Entity), and theAAA (Authentication, Authorization, and Authorization)server. For the IMS traffic delivered between the UE andthe IMS servers, the VoLTE packets are routed by the S-GWand the PDN-GW; those of Wi-Fi calling are routed by thetrusted Wi-Fi network, the TWAG, and the PDN-GW, or bythe untrusted Wi-Fi network, the ePDG, and the PDN-GW.The IMS servers offer multimedia services such as voice andtext services in the cellular network. The HSS stores usersubscription data while, together with the AAA, providingthe user authentication service. The MME takes care of usermobility and network resource reservation.In order to protect the UE and the CN from the access ofthe non-trusted Wi-Fi network, the Wi-Fi calling standard [1]stipulates that the UE and the CN shall support the EAPAKA (Extensible Authentication Protocol - Authenticationand Key Agreement) procedure [19], IKEv2 (Internet KeyExchange version 2), and IPSec [20]. Specifically, they haveto authenticate each other based on the EAP-AKA procedure and then establish a secure IPSec channel using theESP tunnel mode [21], [22] between the UE and the ePDGfor the Wi-Fi calling services.Wi-Fi calling call flow: Figure 2 shows the normal callflow of Wi-Fi calling. To initiate a call, the caller sends anSIP INVITE message, which specifies the capabilities (e.g.,voice codec) of the caller, to the callee. Afterwards, the Wi-Ficalling server at the IMS system replies to the caller with an100 Trying message, which indicates that the call setup isin progress. In the meantime, the callee replies to the callerwith a list of available voice codecs in an 183 Sessionmessage. After receiving the message, the caller sends aPRACK (Provisional Acknowledgement) message to informthe callee of the selected codec. Once the PRACK is received,the callee phone starts to ring while sending back an 180Ringing message. The caller phone rings upon the arrivalof the 180 Ringing message. Whenever the callee answersthe call, two call ends start to exchange voice packets forthe voice call after the 200 OK and ACK messages. A BYEmessage is sent from the end who terminates the call, and3 T HREAT M ODEL , M ETHODOLOGY AND E THICALC ONSIDERATIONSThreat model: Compared to the limited deployment oftrusted Wi-Fi networks, the non-trusted public Wi-Fi networks have been broadly deployed in practice, includingthose in campuses, libraries, grocery stores, coffee shops, toname a few. The present study mainly targets the securitythreats while users are using non-trusted public Wi-Fi networks. Adversaries are people or organizations which attackthe Wi-Fi calling users. We consider the adversaries withthe following capabilities: (1) they can intercept, modify, orinject any messages in the public communication channels(inside or outside connected Wi-Fi networks, e.g., Internet); (2) they adhere to all cryptographic assumptions, e.g.,adversaries cannot decrypt an encrypted message withoutthe decryption key; (3) they cannot compromise the Wi-Ficalling devices or the cellular network infrastructure, butmay access/deploy surveillance cameras near the victims.Methodology: We validate the vulnerabilities and the attacks on three major U.S. carriers, which together takeabout 75% of market share, and two Taiwan carriers, whichtogether take 45% of market share. We conduct experimentsusing two Wi-Fi APs, a software-based AP based on aMacBook Pro 2014 laptop and an ASUS RT-AC1900 AP,and eight popular smartphones with the Wi-Fi calling service, which include Samsung Galaxy S6/S7/S8/J7, AppleiPhone6/iPhone7/iPhone8, and Google Nexus 6P. Appleand Samsung already take 74% share of the smartphonemarket [23]. The experiments are conducted in the Wi-Finetworks of several campuses, including Michigan StateUniversity, New York University, University of CaliforniaBerkeley, and Northeastern University.Ethical considerations: We understand that some feasibilitytests and attack evaluations might be harmful to the operators and/or users. Accordingly, we proceed with thisstudy in a responsible manner by running experimentsin fully controlled environments. In all the experiments,victims are always our lab members. Our goal is to disclosenew security vulnerabilities and provide effective solutions,instead of aggravating the damages.4S ECURITY V ULNERABILITIES OF W I -F I C ALLINGIn this section, we first introduce three security vulnerabilities discovered from operational Wi-Fi calling services in theU.S., and then present a study on non-U.S. operators and afeedback from the industry.4.1 V1: WLAN selection mechanisms for Wi-Fi callingdevices merely consider radio/connectivity capabilitiesof available Wi-Fi networksThe first vulnerability is that all studied Wi-Fi callingdevices cannot exclude an insecure Wi-Fi network whileenabling Wi-Fi calling services. According to Wi-Fi callingstandards [1], [8], there are two Wi-Fi network selectionmodes: manual and automatic modes. In the manual mode,1536-1233 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information.Authorized licensed use limited to: Michigan State University. Downloaded on November 23,2020 at 01:05:28 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2995509, IEEETransactions on Mobile Computing4I46546856.316883 192.168.2.556.337334 192.168.2.5208.54.16.4208.54.16.4ESPESP176176ESP (SPI 0x0855c9c8)ESP (SPI 0x0855c9c8)46947056.347763 208.54.16.456.348012 208.54.16.4192.168.2.5192.168.2.5ESPESP176176ESP (SPI 0xbb21253b)()ESP (SPI 0xbb21253b)Packet Size (byte)No. Time Source Destination Protocol Lengthg Info()440 56.276919 208.54.16.4 192.168.2.5 ESP176ESP (SPI 0xbb21253b)441 56.266969 208.54.16.4 192.168.2.5 ESP176ESP (SPI 0xbb21253b)Fig. 3. A trace of the Wi-Fi calling packets intercepted based on the ARPspoofing.devices maintain a prioritized list of selected Wi-Fi networks, the implementation of which is vendor-specific. Inthe automatic mode, devices select their connected WiFi networks by following the guidance from the networkinfrastructure based on the ANDSF (Access Network Discovery and Selection Function) procedure described in [9].However, both modes do not consider security risks ofavailable Wi-Fi networks but radio quality (e.g., ThreshBeaconRSSIWLANLow [8]) and connectivity capabilities, suchas MaximumBSSLoad (i.e., the loading of Wi-Fi AP), MinimumBackhaulThreshold (e.g., 2 Mbps in the downlink) [9],[24].Validation: We deploy two Wi-Fi routers of the same modelto test the Wi-Fi network selection of the Wi-Fi callingdevices. The experiment is conducted with four steps asfollows. First, those two routers are deployed 5 and 10meters, respectively, away from the tested devices. All testWi-Fi calling devices are pre-installed with the requiredcredentials to access these two Wi-Fi routers. Second, thesecurity mechanism against the ARP (Address ResolutionProtocol) spoofing attack, which is the prerequisite of various MitM (Man-in-the-Middle) attacks, is enabled on the farrouter, but it is disabled on the near router. Third, we launchan ARP spoofing attack from a computer that connects to thenear router, to perform an MitM attack against all the otherdevices connecting to the router. Fourth, we enable the WiFi calling service on all the tested devices, and then makea Wi-Fi calling call on each device whenever the devicesuccessfully has a Wi-Fi network connected.We have three observations from the experiment. First,all the test Wi-Fi calling devices connect to the near WiFi router. Second, all the Wi-Fi calling packets from thetested devices are intercepted by the computer based onthe ARP spoofing attack, as shown in Figure 3. Third, noneof the tested devices disconnects from the near router orterminates their Wi-Fi calling services; not any alerts orwarnings are observed from the tested devices. This validation experiment confirms that current WLAN selectionmechanisms do not prevent the Wi-Fi calling devices fromconnecting to an insecure Wi-Fi network, thereby causingthem to suffer from the MitM attack. Note that the MitMattack does not need to compromise or control the nearrouter.Security implications: It is not without reasons that theWLAN selection mechanisms do not take security issuesinto consideration but consider only the radio qualityor/and WLAN performance, since the Wi-Fi calling sessionshave been protected by the IPSec tunnels with the end-toend confidentiality and integrity protection. Although thesecurity protection can prevent the Wi-Fi calling packetsfrom being decrypted or altered, intercepting or discardingthose packets for further attacks is still possible. We believe14001200100080060040020000II20III4060Time (second)IV80VVI100Fig. 4. The IPSec packets of six Wi-Fi calling events over time ( : uplinkpackets; : downlink packets; I/VI: Activating/Deactivating Wi-Fi calling;II/III: Receiving/Dialing a call; IV/V: Sending/Receiving a text).No. Time3216.894215 208.54.83.96 192.168.29.211 ESP Source Destination Protocol Length Info1360ESP (SPI 0x00451590)3716.896092 fd00:976a:1 2607:fc20:49 SIP1132Request: INVITE sip:15174024559@[2607:fc20:49:1f4c.9717.314491 2607:fc20:49. fd00:976a:1. SIP1084Status: 180 Ringing 9817.315048 192.168.29.211 208.54.83.96 ESP1152ESP (SPI 0x09960417)SIP Message1304 38.827132 2607:fc20:49 fd00:976a:1 SIP1132Request: BYE sip:sgc c@[FD00:976A:14FB:57::1]:65529 .1305 38.827493 192.168.29.2 208.54.83.96 ESP1200ESP (SPI 0x09960417)Ipsec PacketFig. 5. A trace of the Wi-Fi calling packets collected on a test phone: SIPand IPSec packets.that 3GPP and GSMA shall revisit the Wi-Fi network selection mechanisms for the Wi-Fi calling service in termsof security; otherwise, the Wi-Fi calling users are beingexposed to potential security threats.4.2V2: Potential Side-channel InferenceGiven the security mechanisms of untrusted access, thepackets of the cellular services under untrusted Wi-Fi networks can be securely delivered through the IPSec channelbetween the UE and the ePDG. However, we discover thatfor all the test operators, the Wi-Fi calling service is theonly service carried by the IPSec channel. This monotonousoperation may allow the adversary to monitor the channeland then launch a side-channel attack to infer user privacyfrom the Wi-Fi calling events (e.g., call and text messagingstatuses) and call statistics.Validation: We examine whether any information can beinferred based on the intercepted Wi-Fi calling packets,which are encrypted by IPSec. After analyzing their patterns, we discover that for all the three operators, thereare six service events of the Wi-Fi calling service, namelydialing/receiving a call, sending/receiving a text message,and activating/deactivating the service.Figure 4 shows the IPSec packets captured on a Wi-FiAP when the above six events are triggered on a test phoneconnecting to the AP. It is observed that all the events differfrom each other in terms of traffic patterns, which are composed of packet direction (uplink or downlink), packet size,and packet interval. In order to automatically identify thembased on the encrypted Wi-Fi traffic, we apply a decisiontree method, the C4.5 algorithm [25]. To prepare a set oftraining data, we trigger those six events on the test phonewith 50 runs each while collecting all the IPSec packets onthe Wi-Fi AP. Based on the training data, a classificationmodel can be generated by the C4.5 algorithm. We assessthe classification accuracy of the model using 50 tests by1536-1233 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications standards/publications/rights/index.html for more information.Authorized licensed use limited to: Michigan State University. Downloaded on November 23,2020 at 01:05:28 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMC.2020.2995509, IEEETransactions on Mobile Computing5Test DeviceUS-IUS-IIUS-IIISamsung J7 (US-III)Samsung S6 (US-II)Samsung S7 (US-I)Samsung S8 (US-II)Nexus 6PiPhone 6iPhone 7iPhone %100%100%100%N/AN/AN/AN/A100%100%100%TABLE 2Classification accuracy of the Wi-Fi calling events in variouscross-phone and cross-carrier cases. N/A means that the test phonedoes not support the carrier’s Wi-Fi calling service.comparing the model’s output with the test phone’s packettrace as shown in Figure 5. The result shows that the modelcan give 100% accuracy. Note that the test phone is Nexus6P with the Wi-Fi calling service of US-I.We next examine whether the classification model worksfor cross-phone and cross-carrier cases. We consider variousdevices with the Wi-Fi calling services of the three carriers.Table 2 summarizes the result. It is observed that thosesix events in all the test cases can be identified accurately.Accordingly, the model that is derived based on the training data collected from Nexus 6P with the US-I’s Wi-Ficalling service can be applied to the other devices andcarriers, which include the Samsung Galaxy J7/S6/S7/S8and iPhone 6/7/8 devices with the US-II/US-III networks.Security implications: The IPSec channel can prevent manin-the-middle attackers from decrypting or altering the WiFi calling packets, but does not block the side-channel inference attack. Its monotonous operation allows the adversaryto collect ‘clean’ Wi-Fi calling traffic, which simplifies theside-channel inference.4.3 V3: the Inter-system Service Continuity Mechanismof Wi-Fi Calling can be BypassedThe inter-system service continuity mechanism can seamlessly switch the voice service of Wi-Fi calling on a deviceback to the cellular-based voice service (e.g., VoLTE), whenthe device disconnects from its connected Wi-Fi network orit cannot be reached through the Wi-Fi network (e.g., noresponse from the device in the Wi-Fi calling service). Themechanism can be triggered by the device or the cellularnetwork infrastructure, and mainly consists of two steps,namely an inter-system handover [9] between Wi-Fi andthe cellular network, and a procedure of the IMS servicecontinuity [2]. Its operation can inherently protect the device against a DoS attack on the Wi-Fi calling service. Forexample, when all the Wi-Fi calling packets are maliciouslydropped, the device is unreachable. However, the operationis not bullet-proof and may be bypassed with a sophisticated attack.Validation: We conduct experiments to examine whetherthe mechanism can be bypassed in any scenarios. We testa Wi-Fi calling device with the following four scenarios,together with their corresponding results. First, the devicewith an established voice call of Wi-Fi calling moves out ofits connected Wi-Fi network. We observe that the ongoingFig. 6. A trace shows that a device switches an ongoing call attempt fromWi-Fi calling to VoLTE after all the Wi-Fi calling packets are dropped. Itis obtained on the test phone via the software MobileInsight [26].voice call can successfully migrate from Wi-Fi calling toVoLTE without any call interruption. Second, the device isdialing a Wi-Fi calling call while all its Wi-Fi calling packetsare discarded from the Wi-Fi AP. We find that the devicesuccessively sends a packet of SIP INVITE to the Wi-Ficalling server; after six attempts, it switches to initiating aVoLTE call, as shown in Figure 6. Third, while the deviceis having an incoming call, all the Wi-Fi calling packetsare discarded. It is observed that the device switches toVoLTE for the incoming call. Fourth, the packets of a WiFi calling call on the device are discarded right after the callis established. We observe that no voice can be heard fromtwo call ends, but the inter-system switch is not triggeredand the device keeps the connection of the Wi-Fi network.In summary, the inter-system service continuity mechanism is triggered only when the radio quality of the connected Wi-Fi network becomes bad, or the device and thenetwork infrastructure cannot reach each other in the Wi-Ficalling service. As in the above fourth case, where the deviceand the network can reach each other but some packets aredropped, the adversary can attack a device’s Wi-Fi callingcall while keeping the device using the Wi-Fi
The IPSec sessions between Wi-Fi calling devices and the core network carry only the Wi-Fi calling traffic, so its traffic patterns can be learned to infer various Wi-Fi calling events (Section 4.2). V3: the service continuity mechanism be-tween Wi-Fi calling and cellular-based voice services may no
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
N450 WiFi Cable Modem Router (N450) 54 N600 WiFi Cable Modem Router (C3700) 55 AC1750 WiFi Cable Modem Router (C6300) 56 WiFi USB Adapters. AC1200 High Gain WiFi USB Adapter (AC1200) 58 AC600 WiFi USB Mini Adapter (A6100) 59 N600 WiFi USB Adapter (WNDA3100) 59 N300 WiFi USB Adapter (WNA3100) 60 N300 WiFi USB Mini Adapter (WNA3100M) 60 N150 WiFi USB Adapter (WNA1100) 61 N150 WiFi USB Micro .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Nighthawk —AC1900 WiFi Cable Modem Router For XFINITY Internet & Voice Data Sheet C7100V Get the fastest WiFi currently available on WiFi cable modem routers & enjoy a blazing-fast, lag-free WiFi experience for gaming, video streaming or surfing. Speed EXTREMELY FAST WIFI—Up to 1.9 Gpbs combined WiFi speed for extreme gaming and .
