When encryption is not enough
There are times when you need to be able to use a mobile phone without anyone intercepting your calls and texts, including government agencies.
New attack allows hackers to decrypt VoLTE encryption to spy on phone calls.
A team of academic researchers – who made headlines earlier this year for uncovering serious security problems in 4G LTE and 5G networks – today unveiled a new attack called “ReVoLTE” that allows attackers to crack the encryption of VoLTE voice calls and spy on targeted calls.
The attack does not exploit a vulnerability in the Voice over LTE (VoLTE) protocol, but takes advantage of the weak implementation of the LTE mobile network at most telecom providers in practice, allowing an attacker to listen in on the encrypted phone calls of targeted victims.
VoLTE, or Voice over Long Term Evolution Protocol, is a standard for high-speed wireless communications for cell phones and data terminals, including Internet of Things (IoT) devices and wearables that use 4G LTE wireless technology.
The crux of the matter is that most mobile operators often use the same keystream for two consecutive calls within a wireless connection to encrypt the voice data between the phone and the same base station, i.e. the cell tower.
The new ReVoLTE attack thus exploits the reuse of the same keystream by vulnerable base stations, allowing attackers to decrypt the content of VoLTE-supported voice calls in the following scenario.
However, reusing a predictable keystream is not new and was first demonstrated by Raza & Lu, but the ReVoLTE attack makes it a practical attack.
To initiate this attack, the attacker must be connected to the same base station as the victim and place a downlink sniffer to monitor and record a ‘targeted call’ made by the victim to someone else that needs to be decrypted later, as part of the first phase of ReVoLTE attack.
Once the victim hangs up the ‘targeted call,’ the attacker is required to call the victim, usually within 10 seconds immediately, which would force the vulnerable network into initiating a new call between victim and attacker on the same radio connection as used by previous targeted call.
“The keystream reuse occurs when the target and keystream call use the same user-plane encryption key. As this key is updated for every new radio connection, the attacker must ensure that the first packet of the keystream call arrives within the active phase after the target call,” the researchers said.
Once connected, as part of the second phase, the attacker needs to engage the victim into a conversation and record it in plaintext, which would help the attacker later reverse compute the keystream used by the subsequent call.
According to researchers, XOR-ing the keystreams with the corresponding encrypted frame of the targeted call captured in the first phase decrypts its content, allowing attackers to listen to what conversation its victim had in the previous phone call.
“As this results in the same keystream, all RTP data is encrypted in the same way as the voice data of the target call. As soon as a sufficient amount of keystream data was generated, the adversary cancels the call,” the paper reads.
However, the length of the second call should be greater than or equal to the first call in order to decrypt each frame; otherwise, it can only decrypt a part of the conversation.
“It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt,” the paper reads.
“Each frame is associated with a count and encrypted with an individual keystream that we extract during the keystream computation. As the same count generates the same keystream, the count synchronizes the keystreams with encrypted frames of the target call. XOR-ing the keystreams with the corresponding encrypted frame decrypts the target call.”
“As we aim to decrypt the complete call, the keystream call must be as long as the target call to provide a sufficient number of packets, as otherwise we can only decrypt a part of the conversation.”
To demonstrate the practical feasibility of the ReVoLTE attack, the team of academics from Ruhr University Bochum implemented an end-to-end version of the attack within a commercial, vulnerable network and commercial phones.
The team used the downlink analyzer Airscope by Software Radio System to sniff the encrypted traffic and three Android-based phones to obtain the known-plaintext at the attacker’s phone. It then compared the two recorded conversations, determined the encryption key, and finally decrypted a portion of the previous call.
You can see the demo video of the ReVoLTE attack, which, according to the researchers, could cost less than $7000 to attackers for setting up the attack and, eventually, decrypting downlink traffic.
The team tested a number of randomly selected radio cells across Germany to determine the scope of the issue and found that it affects 12 out of 15 base stations in Germany, but researchers said the security gap also affects other countries.
Researchers notified the affected German base station operators about the ReVoLTE attack through the GSMA Coordinated Vulnerability Disclosure Programme process in early December 2019, and the operators managed to deploy the patches by the time of publication.
Since the issue also affects a large number of providers worldwide, researchers released an open source Android app, called ‘Mobile Sentinel,’ that you can use to detect whether their 4G network and base stations are vulnerable to the ReVoLTE attack or not.
Researchers—David Rupprecht, Katharina Kohls and Thorsten Holz of RUB University Bochum and Christina Pöpper of NYU Abu Dhabi—have also released a dedicated website and research paper PDF, titled “Call Me Maybe: Eavesdropping Encrypted LTE Calls With REVOLTE,” detailing the ReVoLTE attack, where you can find more details.
There are times when you need to be able to use a mobile phone without anyone intercepting your calls and texts, including government agencies.
There will always be fraudsters who take advantage of the desire for security by overpricing normal products and claiming that these have “security features”. As in this case… Read more
This article takes us to the Department of Software and Information Systems Engineering at Ben-Gurion University of the Negev in Israel, which has found problems with so-called airgapped networks.