WIFI Calling - How secure is it?

Wouldn’t this be more secure than hoping you are connected to a legitimate tower instead of a stingray, ISMI catcher or the like?

I think most phones can turn off cellular and turn on WIFI. You do need the wifi calling though to use it. It allows calls and texts both ways. It works fine for some of the big carriers with the popular device brrands.

Hopefully the L5 or L6 can get this soon.

…and some MVNOs on those big carriers’ networks.

VoWiFi is basically SIP (a widely used VoIP standard) inside of IPSec (a type of VPN, and also a common standard). But I am unsure about the authentication bits, which is why we probably cannot just run SIP over IPSec ourselves. Like all cryptography, everything has to be implemented correctly in order for it to be secure. Also, once the IPSec terminates, presumably safely inside of the carrier’s network (it is not end-to-end encryption), the call can be tapped. In order for a compromised network to decode the traffic, it would need the IPSec secrets, and I am unsure about that part. I think that part of it is kept on the SIM card.

Thanks for the detail. I guess what I mean is when compared to cellular calls. If you do wifi calling with VPN on, it may be secure up to the cell provider endpoint hub where it needs to be decrypted. I am using my imagination here but I think with VPNs that means the end point in the nearest city where your VPN endpoint is.

I think that the WiFi call’s IPSec VPN with credentials from your SIM card makes it about as secure as cellular, which depending on who you are protecting yourself from, may be adequate or not. Adding another VPN may or may not help. It protects you from stuff happening near the WiFi access point and further out, but at some point, that VPN ends and sends out the normal IPSec protected WiFi call onto the Internet. Ideally, the distance between were your VPN ends and where the cell provider receives your WiFi call should be small, otherwise, your traffic is more likely to be picked up by someone else. For example, your VPN should be in the same country that your cell provider’s equipment is in. Again, it depends on who you are trying to avoid.

… which is a difference if comparing WiFi calling with regular mobile phone use (where the call never hits the internet).

Even though the crypto should be good enough, with or without a VPN, to keep the call contents secret from the internet … you surely expose the duration of the call to a random internet interceptor i.e. traffic analysis will be possible, and without a VPN there will be more places in the internet where that could occur. So watch out for leaking metadata.

As you say: