New attack allows hackers to decrypt VoLTE encryption to spy on phone calls.
A team of academic researchers – who made headlines earlier this year for uncovering serious security problems in 4G LTE and 5G networks – today unveiled a new attack called “ReVoLTE” that allows attackers to crack the encryption of VoLTE voice calls and spy on targeted calls.
The attack does not exploit a vulnerability in the Voice over LTE (VoLTE) protocol, but takes advantage of the weak implementation of the LTE mobile network at most telecom providers in practice, allowing an attacker to listen in on the encrypted phone calls of targeted victims.
VoLTE, or Voice over Long Term Evolution Protocol, is a standard for high-speed wireless communications for cell phones and data terminals, including Internet of Things (IoT) devices and wearables that use 4G LTE wireless technology.
The crux of the matter is that most mobile operators often use the same keystream for two consecutive calls within a wireless connection to encrypt the voice data between the phone and the same base station, i.e. the cell tower.
The new ReVoLTE attack thus exploits the reuse of the same keystream by vulnerable base stations, allowing attackers to decrypt the content of VoLTE-supported voice calls in the following scenario.
However, reusing a predictable keystream is not new and was first demonstrated by Raza & Lu, but the ReVoLTE attack makes it a practical attack.
How does the ReVoLTE attack work?
To initiate this attack, the attacker must be connected to the same base station as the victim and place a downlink sniffer to monitor and record a “targeted call” from the victim to another person, which must later be decrypted, as part of the first phase of the ReVoLTE attack.
Once the victim hangs up the “targeted call,” the attacker is prompted to call the victim, usually within 10 seconds immediately, which forces the vulnerable network to initiate a new call between the victim and attacker over the same radio link used by the previous targeted call.
“Keystream reuse occurs when the destination and the keystream call use the same user-plane encryption key. Since this key is updated for each new radio connection, the attacker must ensure that the first packet of the keystream call arrives within the active phase after the destination call,” the researchers said.
Once the connection is established, the second phase requires the attacker to engage the victim in a conversation and record it in plain text, which would later help the attacker to reverse compute the keystream used by the subsequent call.
According to the researchers, XORing the keystreams with the corresponding encrypted frame of the target call recorded in the first phase decrypts its content, allowing the attackers to eavesdrop on what conversation their victim had in the previous call.
“Since this results in the same keystream, all RTP data is encrypted in the same way as the voice data of the destination call. Once a sufficient amount of keystream data has been generated, the attacker aborts the call,” the paper states.
However, the length of the second call should be greater than or equal to the first call to decrypt every frame; otherwise, it can decrypt only part of the conversation.
“It is important to note that the attacker must engage the victim in a longer conversation. The longer he/she has talked to the victim, the more content of the previous communication he/she can decode,” the paper says.
“Each frame is associated with a count and encrypted with an individual keystream, which we extract during keystream computation. Since the same count generates the same keystream, the count synchronizes the keystreams with encrypted frames of the destination call. By XORing the keystreams with the corresponding encrypted frame, the destination call is decrypted.”
“Since our goal is to decrypt the entire call, the keystream call must be as long as the target call to deliver a sufficient number of packets, otherwise we can only decrypt a portion of the call.”
ReVoLTE attack detection and demonstration
To demonstrate the practical feasibility of the ReVoLTE attack, the team of scientists from Ruhr-Universität Bochum implemented an end-to-end version of the attack within a commercial vulnerable network and commercial phones.
The team used Software Radio System’s Airscope downlink analyzer to capture encrypted traffic and three Android-based phones to retrieve known plaintext on the attacker’s phone. It then compared the two recorded conversations, determined the encryption key, and finally decrypted part of the previous conversation.
You can see the demo video of the ReVoLTE attack, which the researchers say costs less than $7000 to set up and eventually decrypt downlink traffic.
The team tested a number of randomly selected radio cells across Germany to determine the extent of the problem and found that 12 out of 15 base stations in Germany were affected, but the researchers said the vulnerability affects other countries as well.
Researchers notified affected German base station operators of the ReVoLTE attack in early December 2019 as part of the GSMA Coordinated Vulnerability Disclosure Program, and operators were able to deploy the patches at the time of publication.
Since the problem also affects a large number of providers worldwide, the researchers have developed an open-source Android app called “Mobile Sentinel” published, which you can use to determine whether or not their 4G network and base stations are vulnerable to the ReVoLTE attack.
The researchers – David Rupprecht, Katharina Kohls and Thorsten Holz of Ruhr University Bochum and Christina Pöpper of NYU Abu Dhabi – have also published their own website and a research paper (PDF) titled “Call Me Maybe: Eavesdropping Encrypted LTE Calls With REVOLTE,” which details the ReVoLTE attack, where you can find more details.