This work addresses critical security vulnerabilities in VoWiFi user equipment (UE) that may lead to identity leakage or insecure channel establishment. We propose the first UE-centric, systematic security testing framework. Methodologically, we construct a realistic testbed integrating large language model–driven semi-automated security property extraction (deriving 63 formal properties from 11 standards), domain-specific mutation strategies, and deterministic assertion-based detection to enable efficient, scalable adversarial testing. Our contributions include: (i) an end-to-end evaluation system; (ii) execution of 1,116 test cases across 21 commercial UEs; and (iii) discovery of 13 previously unknown vulnerabilities—including flawed key negotiation procedures and support for weak cryptographic algorithms. Multiple vulnerabilities have been confirmed and patched by respective vendors.

We present VWAttacker, the first systematic testing framework for analyzing the security of Voice over WiFi (VoWiFi) User Equipment (UE) implementations. VWAttacker includes a complete VoWiFi network testbed that communicates with Commercial-Off-The-Shelf (COTS) UEs based on a simple interface to test the behavior of diverse VoWiFi UE implementations; uses property-guided adversarial testing to uncover security issues in different UEs systematically. To reduce manual effort in extracting and testing properties, we introduce an LLM-based, semi-automatic, and scalable approach for property extraction and testcase (TC) generation. These TCs are systematically mutated by two domain-specific transformations. Furthermore, we introduce two deterministic oracles to detect property violations automatically. Coupled with these techniques, VWAttacker extracts 63 properties from 11 specifications, evaluates 1,116 testcases, and detects 13 issues in 21 UEs. The issues range from enforcing a DH shared secret to 0 to supporting weak algorithms. These issues result in attacks that expose the victim UE's identity or establish weak channels, thus severely hampering the security of cellular networks. We responsibly disclose the findings to all the related vendors. At the time of writing, one of the vulnerabilities has been acknowledged by MediaTek with high severity.