Hi yeah I am interested to know how it works, from a layman's point of view. I wonder if there are any vulnerabilities using WiFi calling , like is it a back door to see your internet traffic etc

    roddyd

    I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope". I really Really REALLY wish they'd integrate such an option. Hell, I don't see why it wouldn't be possible to create a local WiFi calling interface to have all cellular phones calls made over mobile data. Such a network interface would force the phone to think cellular connection = WiFi connection and use mobile data to make all cellular calls. If mobile data is protected via VPN, then all cellular phone calls would be tunneled through it.

      L8437

      Carrier WiFi xalling uses IPSec tunnel, which is an old and insecure VPN protocol and usage of WiFi calling opens you to more attack surface - https://www.cse.msu.edu/~ghtu/published-papers/Xie-WiFi-calling-TMC-2020.pdf . I suggest fully disabling carrier WiFi calling. That way your carrier doesn't know the IP address of WiFi network to which you are connected.

      Each carrier uses its own domains for WiFi calling and your phone should only try to resolve such domains if SIM card is inserted and active, but your phone continues to try to resolve those domains when connected to WiFi in Airplane mode even if SIM card is disabled + WiFi calling itself is disabled! That happens even if you remove SIM card and fully reset all network settings. The only way to stop your phone from trying to resolve such domains when connected to WiFi is to perform full factory reset and never insert a SIM card. If you insert SIM card and connect to your carrier network just one time after full factory reset, then your phone remembers your carrier. I think if you insert a SIM card from a different carrier, then it forgets previous carrier's WiFi calling domains and starts using new carrier's WiFi calling domains. This is already reported to GOS developers and marked as upstream Android bug (not GOS bug).

      There is more (and none of it good...) Carrier WiFi calling doesn't use specified private DNS servers from Android settings. It uses WiFi network's specified DNS addresses. As mentioned earlier, If WiFi calling is disabled, attempts to resolve carrier WiFi calling domains over WiFi continues. That means the WiFi network to which you connect immediately knows that someone with phone with your carrier is connected to it, even though no actual carrier WiFi calls are possible when its disabled. That in itself is a non-unique identifier, but still an identifier that narrows things down... The only way around that is to connect to your own WiFi network that blocks carrier WiFi calling domains via local DNS server/forwarder (like Pi-Hole) and/or IP's to those domains. That is of course not an optimal solution. The optimal solution is to have Android disable carrier WiFi calling domain resolution when carrier WiFi calling is disabled. Unlike the idea of tunneling all carrier phone calls via local interface that forces the phone to think that mobile data = WiFi connection and further tunneling inside VPN tunnel, forcing Android to not resolve any carrier WiFi calling domains over WiFi connection when carrier WiFi calling is disabled shouldn't be that complicated. I can accomplish that, but only when bootloader is unlocked and phone is rooted.., which kind of defeats the point of hardened security.

        It sounds to me as if the smart thing to do is to write off WiFi Calling as inherently insecure.

          OpenSource-Ghost Each carrier uses its own domains for WiFi calling and your phone should only try to resolve such domains if SIM card is inserted and active, but your phone continues to try to resolve those domains when connected to WiFi in Airplane mode even if SIM card is disabled + WiFi calling itself is disabled! That happens even if you remove SIM card and fully reset all network settings. The only way to stop your phone from trying to resolve such domains when connected to WiFi is to perform full factory reset and never insert a SIM card. If you insert SIM card and connect to your carrier network just one time after full factory reset, then your phone remembers your carrier. I think if you insert a SIM card from a different carrier, then it forgets previous carrier's WiFi calling domains and starts using new carrier's WiFi calling domains. This is already reported to GOS developers and marked as upstream Android bug (not GOS bug).

          Does this mean that there is no benefit to turning off Wifi Calling since the phone will attempt to connect either way?

            roddyd
            No, if WiFi calling is off, the actual calling won't happen, but phone will continue to try to query WiFi calling domains over WiFi. Quering domains isn't the same as connecting to queried domains. Your phone will keep making queries for WiFi calling domains over WiFi, but it won't be doing any calling and won't be connecting to the WiFi domains it queries. The probolem is that the querying itself needlessly provides information (domain names) about your carrier to the network.

              OpenSource-Ghost Do you think it would be better to use mobile data or WiFi Calling in terms of overall privacy and security? On one hand the mobile network can determine your location, but on the other hand Wifi calling gives the carrier your IP and it gives the network your carrier brand. If you have to get calls and texts somehow, which do you choose?

                unwat Only one connection should be made outside of the VPN,

                The GrapheneOS endpoint to detect a captive portal?

                  ve3jlg

                  Yes, that's what I meant, but I was incorrect and forgot about the other stuff, like hotspot traffic, necessary pre-VPN connection traffic, and probably others I can't think of right now.

                  Until OpenSource-Ghost shared what they know, I figured wifi calling would be tunneled through the user's VPN, but I was wrong. So, I did a search on Matrix and one of the devs said that wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

                    OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
                    Or will my mobile network now be able to see my WiFi network?

                      spiral

                      Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.

                      L8437

                      If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.

                      roddyd

                      I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.

                      unwat

                      That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.

                      I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.

                        OpenSource-Ghost

                        Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.

                        Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.

                          OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".

                          Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.