Where Convenience and Vulnerability Collide
Moving up the stack from the core network infrastructure, the applications and services that users interact with directly present their own distinct set of vulnerabilities. While technologies like Voice-over-LTE (VoLTE) and Voice-over-Wi-Fi (VoWiFi) offer enhanced quality and convenience, their implementation can introduce serious security flaws.
Simultaneously, the consumer-grade "secure" messaging apps that have become ubiquitous create a paradoxical situation where the promise of end-to-end encryption masks significant risks in other parts of their ecosystem. Finally, the human element remains a critical weak point, which is increasingly exploited through sophisticated social engineering attacks, such as smishing and SIM swapping.
The Unseen Risks of Voice-over-Wi-Fi (VoWiFi) and VoLTE
VoLTE and VoWiFi represent a shift from traditional circuit-switched voice to packet-switched calling over IP networks. This transition, however, has introduced new application-layer attack surfaces.
VoLTE Vulnerabilities: While VoLTE operates over the licensed cellular spectrum, flaws in its implementation can lead to severe privacy breaches. A notable 2025 vulnerability discovered in the UK network of O2 demonstrated how verbose and improperly sanitized signaling messages could be exploited. During a standard VoLTE call setup, the network's SIP (Session Initiation Protocol) headers were found to be leaking the IMSI, IMEI, and precise cell tower location data of both the caller and the recipient in unencrypted form. This allowed any O2 customer with basic diagnostic tools to trivially track the real-time location of any other O2 customer, even when roaming abroad.
Beyond data leakage, vulnerabilities have also been found in the VoLTE stacks of device modems, such as a memory corruption flaw in certain Qualcomm components that could be triggered during a call, leading to a potential denial of service.
VoWiFi Vulnerabilities: VoWiFi extends voice services over any Wi-Fi network, which is both its primary benefit and its greatest weakness. When a user connects to an untrusted public Wi-Fi hotspot, their calls are exposed to local network attacks.
Man-in-the-Middle (MitM) Attacks: An attacker on the same Wi-Fi network can perform an Address Resolution Protocol (ARP) spoofing attack to position themselves between the user's device and the Wi-Fi router. From this position, they can intercept and drop voice or signaling packets, leading to call degradation, dropped calls, or complete call failure.
Weak Encryption and Key Management: Even though VoWiFi communications are supposed to be secured within an IPsec tunnel, the security of this tunnel is paramount. Recent research in 2024 uncovered critical vulnerabilities stemming from poor implementation by both network equipment vendors and device manufacturers. Researchers found that at least 13 mobile operators using core network equipment from ZTE were using the same static, non-random private keys for the VoWiFi key exchange process, affecting over 140 million customers globally. This allows anyone in possession of these keys—including the manufacturer, the operators, and potentially state security agencies—to decrypt and eavesdrop on VoWiFi communications. Concurrently, a flaw was discovered in many new 5G devices using MediaTek chipsets that allowed an active attacker to force a downgrade to the weakest possible encryption, making eavesdropping trivial.
The "Secure" Messaging App Paradox
Beyond End-to-End Encryption
End-to-end encryption (E2EE) has been marketed to consumers as the ultimate guarantee of privacy. Apps like WhatsApp, Signal, and Telegram are built around this principle, ensuring that only the sender and intended recipient can read the content of a message. However, this narrow focus on content encryption creates a dangerous false sense of security, as it ignores the vast attack surface that exists around the encrypted message itself.
A truly secure communication system must protect not just the message content but the entire ecosystem. Consumer-grade E2EE apps fail on several critical fronts:
Pervasive Metadata Leakage: While the message "what" is encrypted, the "who, when, where, and how" are not. These apps generate a trove of highly revealing metadata, including the phone numbers of participants, IP addresses (which reveal location), message timestamps and frequency, and group membership information. This metadata can be as sensitive as the message content, allowing for detailed profiling, social network mapping, and surveillance without ever breaking the encryption.
For example, WhatsApp's collection of metadata is used by its parent company, Meta, for targeted advertising.45 The risk is not just theoretical; a massive Telegram data leak in 2024 exposed the metadata of millions of users, putting them at risk of phishing and identity theft.
Unencrypted Cloud Backups: This is perhaps the most significant and commonly misunderstood vulnerability. Most users are encouraged to back up their chat history to third-party cloud services, such as Google Drive or Apple's iCloud. However, these cloud backups are typically not protected by the app's end-to-end encryption. If an attacker gains access to a user's Google or Apple account—a far more common occurrence than breaking strong cryptography—they gain access to the user's entire decrypted message history. This single weak link completely undermines the promise of end-to-end encryption (E2EE).
Centralized Architecture Risks: Decentrailzed systems have many drawbacks, e.g. speed, call establishment, etc. and a centralizrd architectire is preferred, consumer messaging apps rely on well knoiwn centralized servers to route messages and manage services. This creates a single point of failure. These servers can be targeted by hackers, be subject to lawful interception orders from governments, or suffer from vulnerabilities that allow for service disruption.
Beyond technical exploits of networks and applications, attackers continue to find immense success by targeting the weakest link in any security chain: people. These socio-technical attacks exploit human psychology and flawed administrative processes.
Smishing (SMS Phishing): This is a form of phishing that uses text messages as its delivery vector. It is highly effective because users tend to place more trust and urgency on SMS compared to email. Attackers craft messages that impersonate trusted entities—banks, government agencies, delivery services, or even the target's colleagues—and create a false sense of urgency to manipulate the victim into action. The goal is to trick the user into clicking a malicious link, which leads to a credential-harvesting website, or to download and install malware directly onto their device.
SIM Swapping (SIM Hijacking): This attack bypasses the user's device entirely and targets the administrative procedures of mobile carriers. A fraudster first gathers personal information about a target through data breaches, public social media profiles, or phishing. Armed with this data, the attacker contacts the victim's mobile provider and, using social engineering, convinces the customer service representative to port the victim's phone number to a new SIM card controlled by the attacker.50 Once the swap is complete, the attacker receives all of the victim's incoming calls and text messages. This is most often used to intercept 2FA codes, allowing the attacker to reset passwords and take over sensitive online accounts. Real-world cases have demonstrated the devastating financial impact, including one instance where an attacker liquidated a victim's stock portfolio worth over $160,000.