It sounds to me as if the smart thing to do is to write off WiFi Calling as inherently insecure.
WiFi Calling bypasses VPN!
Blastoidea Yes, it seems so. Very disappointing!
OpenSource-Ghost Each carrier uses its own domains for WiFi calling and your phone should only try to resolve such domains if SIM card is inserted and active, but your phone continues to try to resolve those domains when connected to WiFi in Airplane mode even if SIM card is disabled + WiFi calling itself is disabled! That happens even if you remove SIM card and fully reset all network settings. The only way to stop your phone from trying to resolve such domains when connected to WiFi is to perform full factory reset and never insert a SIM card. If you insert SIM card and connect to your carrier network just one time after full factory reset, then your phone remembers your carrier. I think if you insert a SIM card from a different carrier, then it forgets previous carrier's WiFi calling domains and starts using new carrier's WiFi calling domains. This is already reported to GOS developers and marked as upstream Android bug (not GOS bug).
Does this mean that there is no benefit to turning off Wifi Calling since the phone will attempt to connect either way?
roddyd
No, if WiFi calling is off, the actual calling won't happen, but phone will continue to try to query WiFi calling domains over WiFi. Quering domains isn't the same as connecting to queried domains. Your phone will keep making queries for WiFi calling domains over WiFi, but it won't be doing any calling and won't be connecting to the WiFi domains it queries. The probolem is that the querying itself needlessly provides information (domain names) about your carrier to the network.
Another disturbing article around WiFi calling - https://www.egr.msu.edu/~mizhang/papers/2018_CNS_WiFiCalling.pdf
OpenSource-Ghost Do you think it would be better to use mobile data or WiFi Calling in terms of overall privacy and security? On one hand the mobile network can determine your location, but on the other hand Wifi calling gives the carrier your IP and it gives the network your carrier brand. If you have to get calls and texts somehow, which do you choose?
Yes, that's what I meant, but I was incorrect and forgot about the other stuff, like hotspot traffic, necessary pre-VPN connection traffic, and probably others I can't think of right now.
Until OpenSource-Ghost shared what they know, I figured wifi calling would be tunneled through the user's VPN, but I was wrong. So, I did a search on Matrix and one of the devs said that wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.
You mentioned that it's possible to block this with pihole. How would one figure out what domain to block on their pihole?
OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
Or will my mobile network now be able to see my WiFi network?
Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.
If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.
I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.
- Edited
That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.
I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.
Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.
Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.
OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".
Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.
OpenSource-Ghost I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled.
Good news is that's already on the issue tracker, so hopefully it will happen soon.
https://github.com/GrapheneOS/os-issue-tracker/issues/873
https://github.com/GrapheneOS/os-issue-tracker/issues/874
@OpenSource-Ghost Not clear why you're making unsubstantiated claims about what we consider in the scope of the project or not especially when we have already filed planned features about adding more toggles and potentially disabling the feature by default which has been worked on already.
roddyd It's not a bug but rather is how Wi-Fi calling works, which is one reason why we're working on adding more toggles and potentially disabling it by default. If people want it to progress faster they should contribute.
The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...