OpenSource-Ghost thanks for the helpful info. So if I now turn off WiFi calling, will my WiFi provider being able to see my mobile phone network?
Or will my mobile network now be able to see my WiFi network?

    spiral

    Each carrier has its own and viewing Pi Hole log should make it obvious. Usually, domain either includes carrier name, like T-Mobile...Store...something-something, or it includes ePDG...MNC...MCC. It should be easy to find and it would show up every 15 or 30 or 60 seconds. Even if blocked in Pi-Hole, an attacker would know that your phone is trying to resolve a WiFi calling domain every 15 or 30 or 60 seconds and use that for WiFi password cracking or interception (if WiFi password is known). If attacker knows your IMSI + carrier WiFi calling domains + manages to crack WiFi password, then attacker can impersonate you.

    L8437

    If WiFi calling is disabloed, WiFi network provider would know that someone with a phone that uses whichever carrier WiFi calling domains (+ your carrier's MNC and MCC numbers) is using the network, but your carrier wouldn't receive any information.

    roddyd

    I prefer to disable WiFi calling and use WiFi only when in AIrplane mode IF router for that WiFi network does not use VPN. If router has VPN (OpenVPN or WireGuard) installed, then WiFi calling is more secure. Otherwise I reduce attack surface by using carrier cellular connection for unencrypted phone calls and SMS.

    unwat

    That's not entirely true... If router itself uses OpenVPN or WireGuard VPN to connect all clients, then WiFi calling does go through those OpenVPN or WireGuard tunnels. Because that is the case, the issue is that Android simply isn't designed to tunnel WiFi calling through installed VPN apps, it can very much be tunneled.

    I'd be happy if GrapheneOS developers at least stop WiFi calling domain resolution attempts over WiFi when WiFi calling is disabled. Domain name itself reveals MNC and MCC numbers for your carrier.

      OpenSource-Ghost

      Right. I was talking about VPNs on Android. If a router is set up to tunnel all traffic through a VPN, then it would be impossible for any device on that network to skip the VPN and connect directly.

      Maybe saying "user" and "telecom" traffic was what made what I said confusing. App traffic within a user profile goes through a VPN set up on the profile. Clearly wifi calling is a system thing, not a user thing.

        OpenSource-Ghost I think it would be overly complicated and require major code re-write, but you would be better off asking developers themselves, even though they'd likely respond with something like "out-of-scope".

        Why would they call this out of scope? It seems like this would be important to the goals of the project since it's leaking sensitive info.

        @OpenSource-Ghost Not clear why you're making unsubstantiated claims about what we consider in the scope of the project or not especially when we have already filed planned features about adding more toggles and potentially disabling the feature by default which has been worked on already.

          roddyd It's not a bug but rather is how Wi-Fi calling works, which is one reason why we're working on adding more toggles and potentially disabling it by default. If people want it to progress faster they should contribute.

          GrapheneOS

          The "out-of-scope" reference was in regard to forcing WiFi calling through user-installed VPN app tunnels like WireGuard or OpenVPN and/or forcing all cellular calls to use data plan to also have them be tunneled through VPN. Maybe I was wrong.., but I thought either of the 2 features mentioned above would require major Android code re-write and would be out-of-scope for GrapeneOS...

          unwat Clearly wifi calling is a system thing, not a user thing.

          As stated, this makes the surprising behaviour quite clear. Thanks.

          There's a ton of recommendations here about disabling network access to apps to gain privacy.

          GrapheneOS is already modifying system level components. It would be ideal if they optionally allowed routing to be configured so ALL traffic had to go via the user VPN component (or firewall/adblocker). This would ensure there are no unforeseen leaks for those who care.

            ve3jlg

            I found it helpful to think of it like traditional networking.

            There is no Layer 3/4 firewall. You cannot block/allow by IP or TCP/UDP port.
            But there is Layer 2 port security. Users can entirely disable/enable networking for individual apps. Like controlling physical ports on a 48 port switch, where every app gets a port.
            The user has control over the "user switch", but there is also a core switch upstream that users cannot control. Telecom services such as tethered devices and wifi calling use this backend network equipment.

              Graphite This is an interesting analogy.

              But if I were to extend, I'd say the current situation is sort of like a managed ethernet switch requiring access to someone elses computer to configure traffic management i.e. VLANs, or not even going that far, pinging home.

              Hmm. Actually it is worse than that I think. If an ethernet switch on my LAN is snitchy I can easily block its outbound traffic at L2 or L3. Because my phone is on someone else's cellular network some of the time I cannot block that traffic except in the phone's network stack or at the other end of a VPN I control.

              Gee, are you saying that tethered devices also do not get routed via an on-phone VPN?

                ve3jlg are you saying that tethered devices also do not get routed via an on-phone VPN?

                Yes. It's a feature I really want. But carriers fought that fight and won a long time ago. They wanted people to pay extra for every Mbyte of tethered data, as if tethering was a feature offered by the carrier.

                  Graphite I've always wondered why tethering didn't go through a VPN. So it was a feature purposely made separate due to the billing?
                  See I used to try turn on hotspot and the network would see it as tethering. So I used to put the SIM card in a WiFi router and then it thought it was a phone.

                  It would be so good to have all traffic go through a VPN

                  unwat

                  wifi calling isn't "user" traffic, but rather is "telecom" traffic, so it doesn't go through the user VPN tunnel. Makes sense when you think about it, even if we don't like it.

                  When I first saw this thread I didn't like it either, but having thought about it some since then, in some scenarios I realized I would actually prefer this behavior to having Wi-FI calling routed over VPN. (In some other specific scenarios, I of course don't like it at all.)

                  Above some reasonable baseline level of security and privacy, one of the more easily-definable portions of my threat model relates to ad tech and behavioral fingerprinting for the purposes of building consumer profiles which are sold, traded, and otherwise monetized with little regard to personal privacy.

                  If my carrier already knows my phone is at [store] in [city x] on [date] I don't particularly care that they additionally know I have a Wi-Fi connection at [store] with no cell signal in [city x]. But I would be particularly troubled if I'm researching, for example, medical products over VPN while standing in that store, and a clearinghouse can later associate my search queries with carrier IP logs, which is what could (and eventually certainly would) happen if Wi-Fi calling activity was piped over the same profile's VPN interface.

                  If there was a privacy-respecting carrier I would happily switch, but the practical options are all similar degrees of terrible in that regard, so by using their service I'm already conceding some ground which doesn't get much worse by having Wi-Fi calling route out directly, except in some specific scenarios I will outline at the end.

                  What would bother me far more is if unavoidable carrier activity (e.g., Wi-Fi calling network checks) was routed over VPN against my will, at which point my carrier is free to sell my VPN IP address (and all related activity which they are able to scrape) to people wanting to integrate it into their consumer profiling.

                  This is why I have some still-unanswered questions surrounding what apps in a given profile can see about the network interfaces of the device (within the same profile or outside), and whether private IPs are available to be logged by apps, because if they are, then any network-connected app potentially seriously undermines a threat model that makes a strong attempt to sidestep much of the ad tech hellscape in which we find ourselves.

                  It's not difficult to imagine scenarios in which routing it over anything but the active connection for the profile could be disastrous (think: journalists/activists taking a meeting in the headquarters of an organization to which the host government is hostile, and needing to use Wi-Fi during the meeting), but that threat model is less likely to present an issue to most. Even for those same people, reconstructing web logs with IP logs would pose its own kind of threat. Ideally we would have the option of selecting whether or not carrier functionality happens over the cellular connection, VPN connection, or not at all, as there are legitimate reasons to prefer or avoid any one of them.

                  8 months later

                  Has this security issue been addressed? I'm new here, new to GOS, have searched though many threads for an update but haven't found one. Not certain that I understand this situation completely, or if it's an issue still, but it sounds like the statement from FAQ "Enabling airplane mode disables the cellular radio, but Wi-Fi can be re-enabled and used without activating the cellular radio again. This allows using the device as a Wi-Fi only device" and "Airplane mode is the only way to avoid the cellular network tracking your device and works correctly on the devices we support" are not the exciting way to get around carrier privacy violations that I was hoping it would be? Am I understanding it right that WiFi is no more private as a form of calling and messaging than connecting through a cellular carrier? Additionally, this is a long post, and much has been said, but I think I remember someone saying something about a privacy-centric cellular carrier, and the MVNO that Librem owns, Librem AweSIM and SimpleSIM, claim to function as such, but I wonder, do the providers of their service have access to the data that Librem claims not to collect, store and share? The way that data travels, is it even possible to be a privacy-centric carrier?

                  Also, what about running an app like InviZible Pro with Orbot and Purple I2P that claims to hide your IP among other things? Would that compensate for the problem of information leaked via the way info doesn't flow through the VPN?