Wi-Fi Calling Downgrade Attacks: Exploiting Weak IKEv2 Key Exchanges

TLDR: Researchers at Black Hat 2024 demonstrated that many mobile network operators and device manufacturers use weak, hardcoded, or non-random cryptographic keys in their Wi-Fi Calling (VoWiFi) implementations. By exploiting these flaws in the IKEv2 key exchange process, an attacker can perform downgrade attacks to intercept and decrypt sensitive voice traffic. This research provides a clear methodology for identifying vulnerable infrastructure and highlights the critical need for stronger cryptographic standards in mobile network core equipment.

Mobile security research often focuses on the application layer, but the underlying infrastructure powering our cellular networks remains a goldmine for critical vulnerabilities. Wi-Fi Calling, or VoWiFi, is a prime example of a technology that prioritizes seamless connectivity over rigorous security. When a device connects to a Wi-Fi access point, it establishes an IPsec tunnel to the operator’s core network to handle voice and messaging traffic. This tunnel is the backbone of the service, yet as recent research shows, the cryptographic implementation of these tunnels is frequently broken.

The Mechanics of the Downgrade

At the heart of the issue is the IKEv2 key exchange process. When a smartphone initiates a connection to the operator’s Evolved Packet Data Gateway (ePDG), it negotiates security parameters, including the Diffie-Hellman (DH) group to be used for key agreement. The research reveals that many operators and device manufacturers have failed to keep pace with modern cryptographic standards.

The attack flow is straightforward for an adversary-in-the-middle (MitM). Because the client and server must agree on a security association, the client sends an IKE_SA_INIT packet listing its supported DH groups. If the operator’s ePDG is misconfigured to support deprecated or weak groups—such as the 768-bit or 1024-bit MODP groups—an attacker can intercept the initial handshake and inject an INVALID_KE packet. This forces the client to renegotiate using a weaker, attacker-preferred group.

Once the connection is downgraded to a weak DH group, the computational effort required to derive the shared secret drops significantly. An attacker with sufficient resources can then decrypt the subsequent IPsec traffic, effectively gaining access to the user's voice and messaging data. This is a classic example of OWASP A02:2021-Cryptographic Failures, where the failure to enforce strong, modern algorithms allows for the compromise of protected data.

Identifying Vulnerabilities at Scale

The researchers developed a methodology to scan for these flaws without needing specialized hardware in every country. By leveraging the fact that ePDG servers are exposed to the public internet, they performed active probing to identify which DH groups were supported by various operators.

The scanning process involves two primary steps:

1. DNS Discovery: Resolving the ePDG domain for a specific Mobile Country Code (MCC) and Mobile Network Code (MNC).
2. IKE Handshake: Using a custom Scapy script to initiate the IKEv2 handshake and observe the server's response to different DH group proposals.

This approach is highly effective for pentesters. If you are assessing a mobile operator's infrastructure, you do not need to be physically present at a cell tower. You can perform this reconnaissance from your own environment. The researchers found that 41% of the servers they tested were willing to negotiate these weak, deprecated groups, proving that the "security by obscurity" often attributed to telecom infrastructure is a dangerous fallacy.

The Reality of Hardcoded Keys

Beyond the downgrade attacks, the research uncovered a more systemic failure: the use of identical, hardcoded private keys across different operators. In some cases, the researchers found that multiple operators were using the same private keys for their ePDG infrastructure. This is likely a byproduct of integration testing where vendors like ZTE provide pre-configured images that are never properly hardened before being pushed to production.

When a private key is shared across an entire operator's network—or worse, across multiple operators—the security of every subscriber on that network is compromised. If an attacker obtains that single private key, they can decrypt the traffic of millions of users. This was confirmed in the disclosure of CVE-2024-20069, which affected various MediaTek chipsets. The fix required a significant update to the Android security patch level, underscoring how deeply these flaws are embedded in the device firmware.

Defensive Considerations

For those working on the defensive side, the path forward is clear but difficult. Operators must audit their ePDG configurations to explicitly disable support for any DH group weaker than 2048-bit. Furthermore, the practice of using vendor-provided default configurations must end. Every deployment needs a unique, generated key pair.

For researchers and testers, the takeaway is to stop assuming that the "black box" of the carrier core is secure. Use tools like StrongSwan to test your own client-side configurations and verify that your devices are not silently accepting weak security associations. If you find an operator that still supports 768-bit or 1024-bit groups, you have found a high-impact finding that warrants a bug bounty report.

The industry is slowly moving toward better standards, but as long as legacy code remains in the codebase, attackers will find ways to trigger it. Always verify the implementation, never trust the specification, and keep your eyes on the handshake.