Diffie-Hellman Picture Show: Key Exchange Stories from Commercial VoWiFi Deployments

TL;DR

The paper investigates VoWiFi’s phase-1 IKE Diffie-Hellman exchanges and reveals widespread use of weak DH groups and globally shared private keys among operators. It combines static UE configuration analysis, active operator ePDG probing, and live traffic testing to map real-world security posture, showing critical downgrade vulnerabilities particularly when clients offer multiple DH groups. The study demonstrates practical downgrade attacks, notes device-specific vulnerabilities (notably MediaTek-based stacks), and documents rapid responsible disclosures that led to patches. Its findings emphasize structural weaknesses in provisioning and standardization, urging stronger default configurations, initiated deprecation paths, and improved autoconfiguration to secure VoWiFi access across networks.

Abstract

Voice over Wi-Fi (VoWiFi) uses a series of IPsec tunnels to deliver IP-based telephony from the subscriber's phone (User Equipment, UE) into the Mobile Network Operator's (MNO) core network via an Internet-facing endpoint, the Evolved Packet Data Gateway (ePDG). IPsec tunnels are set up in phases. The first phase negotiates the cryptographic algorithm and parameters and performs a key exchange via the Internet Key Exchange protocol, while the second phase (protected by the above-established encryption) performs the authentication. An insecure key exchange would jeopardize the later stages and the data's security and confidentiality. In this paper, we analyze the phase 1 settings and implementations as they are found in phones as well as in commercially deployed networks worldwide. On the UE side, we identified a recent 5G baseband chipset from a major manufacturer that allows for fallback to weak, unannounced modes and verified it experimentally. On the MNO side -- among others -- we identified 13 operators (totaling an estimated 140 million subscribers) on three continents that all use the same globally static set of ten private keys, serving them at random. Those not-so-private keys allow the decryption of the shared keys of every VoWiFi user of all those operators. All these operators deployed their core network from one common manufacturer.

Figures (14)

• Figure 1: VoLTE compared to VoWiFi over an untrusted Internet connection -- as relevant for this paper
• Figure 2: VoWiFi uses multiple tunnels to ensure security: L1 provides a trusted channel and manages the subsequent connections, L2 acts as a gateway to the internal infrastructure and L3 is used for the actual voice and messaging functionalities.
• Figure 3: Development of the IPsec IKE Profile as defined in IETF TS 133.210 (IKE_SA_INIT) etsi-ts-133.210 Note: LTE started with v8, and IKEv1 has been phased out since v12.
• Figure 4: Number of MNOs per supported DH group (client side, grouped by device type).
• Figure 5: Share of deprecated IKEv2 parameters within all operator-specific VoWiFi settings, i.e., 83% of Oppo's configured DH settings include a deprecated DH group.