This artifact contains the source code necessary to run client- and server-side evaluation scripts for our VoWiFi security analysis. While the scripts can be used to scan for various security parameters (e.g., ciphers), our evaluation focuses on the key exchange (i.e., the supported Diffie-Hellman (DH) groups and the rekey-timings) that are used for the first (i.e., phase 1) VoWiFi tunnel that is essential to the security of the overall communication.
Our corresponding USENIX Security '24 paper can be found here. The presentation slides are available here.
If you want to cite our paper in your work, please use the following BibTeX entry.
@inproceedings{gegenhuber2024diffie,
title={Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments},
author={Gegenhuber, Gabriel K and Holzbauer, Florian and Frenzel, Philipp {\'E} and Weippl, Edgar and Dabrowski, Adrian},
booktitle={33rd USENIX Security Symposium (USENIX Security 24)},
year={2024}
}We use Git LFS (Git Large File Storage) for the dumps.zip file containing client-side operator configurations. To successfully clone the repository including the 400MB dumps.zip file, Git LFS hooks are required.
Thefore:
-
Make sure to have Git LFS installed.
-
Setup the LFS hooks by running
git lfs install. -
Clone the repository by running
git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git.
Alternatively, if you do not want to use Git LFS you can clone the repository without the prior instructions and download the dumps.zip file via a mirror at our scientific artifact storage.
git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git
wget -O vowifi-epdg-scanning/client-side/dumps.zip https://services.phaidra.univie.ac.at/api/object/o:2083413/download
This README file contains the instructions for the client-side VoWiFi parameter analysis (Section 5).
You can reproduce all the client-side analysis steps using the provided jupyter notebook.
cd client-side
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtTo run the notebook:
jupyter notebook client_side_evaluation.ipynbThe jupyter notebook provides step-by-step instructions for extracting and harmonizing the client-side configuration data for different device types. Furthermore, it allows using the harmonized results in json-format (created via the first part of the notebook) to generate graphs representing the summarized results in a more convenient and human-friendly way.
Since this requires downloading complete firmware ROMs (having often more than 10GB) from external sources and since unpacking the relevant configurations from the ROM is an overall time-consuming extraction approach, we took a shorter path for the artifact evaluation and just provide the configuration files that were used within our publication in the dumps.zip file.
To make it easier for other researchers to repeat the full configuration extraction at a later point in time (e.g., with more recent or different firmware ROMs) we reference the used approach here.
This README section contains the instructions for the server-side ePDG probing (Section 6).
cd server-side
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtNote
The server-side scans use scapy to send and receive packets and thus require root privileges.
sudo su
source venv/bin/activate
./epdg_scanner.py --testcase SUPPORT_DH_768MODP
./epdg_scanner.py --testcase SUPPORT_DH_1024MODP
./epdg_scanner.py --testcase SUPPORT_DH_1536MODPIf you have troubles running the server-side scans on your system you can also run it within a docker container.
Run the ubuntu container via docker (interactive mode):
docker run -i -t ubuntu bash
Setup the docker system and run the scan:
apt update
apt install -y git python3-pip python3-venv tcpdump
git clone https://github.com/sbaresearch/vowifi-epdg-scanning.git
cd vowifi-epdg-scanning/server-side/
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
./epdg_scanner.py --testcase SUPPORT_DH_768MODP
The probing results can be found in the results directory. The .txt file contains the security associations that were negotiated with each server. The .pcap file can be used for further (more precise) analysis with Wireshark.
For simple evaluation, the .txt file can filtered in the following manner:
grep successful results/SUPPORT_DH_768MODP_*.txtor, to just display the affected operators/domains:
grep successful results/SUPPORT_DH_768MODP_*.txt | cut -d' ' -f2 | uniqDepending on the device, the following approaches were used to extract the VoWiFi configuration data:
| Provider | VoWiFi configuration through | Download & Parse |
|---|---|---|
| Apple | IPCC Files | https://github.com/mrlnc/ipcc-downloader |
| Oppo | MBN Files | https://github.com/sbaresearch/mbn-mcfg-tools |
| Xiaomi | MBN Files | https://github.com/sbaresearch/mbn-mcfg-tools |
| Samsung | XML Files | Handset path: /system/etc/epdg_apns_conf.xml |
To extract VoWiFi configurations from IPCC files the following steps are necessary.
Download IPCC files using ipcc-downloader.
./download_ipccs.py -d # May take some time
cd data
for i in $(find . | grep plist); do plistutil -i $i -o $i.xml; doneThe IPCC URLs (ipcc_urls.txt) and the unpacked carrier configurations are stored in the data folder.
-
Extract AP (.tar.md5) file
-
lz4: unpack super.img.lz4 to super.img [
lz4 super.img.lz4] -
simg2img: unpack super.img to super.img.raw [
simg2img super.img super.img.raw] -
lpunpack: extract system image from super.img.raw [
python3 lpunpack.py --partition=system super.img.raw extracted] -
Mount extracted/system and go to /system/etc/
The system/etc/epdg_apns_conf.xml file contains ePDG endpoints and the corresponding cipher configurations.
- Extract ROM, go to images folder
- Mount NON-HLOS.bin
- MBN MCFG files are located at /image/modem_pr/mcfg
- Use mbn-mcfg-tools to further process MBN files
This project is licensed under GPLv3.
