The emergence of voice calls over the standard known as Long Term Evolution has been a help to millions of mobile phone users worldwide. VoLTE, short for Voice over LTE, provides up to three times the capacity of the previous 3G standard, resulting in high definition sound quality which is a huge improvement over previous generations. VoLTE also uses the same IP standard used to send data over the Internet, so it has the ability to work with a wide range of devices. VoLTE does all of this while also providing a layer of security that is not available in previous cellular technologies.
Now, researchers have demonstrated a vulnerability that allows attackers with modest resources to eavesdrop on calls. Their technique, called ReVoLTE, uses software-defined radio to pick up the signal that a carrier base station transmits to an attacker of choice, as long as the attacker is connected to the same cell tower (usually , within a few hundred meters to a few kilometers) and know the phone number. Due to an error in the way many carriers implement VoLTE, the attack converts cryptically falsified data into unencrypted sound. The result is a threat to the privacy of a growing segment of cell phone users. Cost: about $ 7,000.
So much for safer
“Data confidentiality is one of the central goals of LTE security and a fundamental requirement for trust in our communication infrastructure,”; write researchers from Ruhr Bochum University and New York University in a paper presented Wednesday at the 29th Symposium. of USENIX Security. “We introduced the ReVoLTE attack, which enables an adversary to intercept and recover VoLTE encrypted calls based on a flaw in the LTE protocol implementation.”
VoLTE encrypts call data as it passes between a telephone and a base station. The base station then decrypts the traffic to allow it to be passed to any switched-on part of a mobile network circuit. The base station on the other hand will encrypt the call as it is transmitted to the other party.
The application error that ReVoLTE exploits is the tendency for base stations to use some of the same cryptographic material to encrypt two or more calls when they are made in close sequence. The attack is caught by this error by capturing encrypted radio traffic on the call of a target, which researchers call the target or the first call. When the first call ends, the attacker quickly launches what researchers call a key call and simultaneously sniffs out the encrypted traffic and records the unencrypted sound, commonly known as plaintext.
The researchers described it this way:
The attack consists of two main phases: the recording phase in which the opponent records the victim’s intended call, and the call phase with a subsequent call to the victim. For the first stage, the opponent must be able to smell the radiolayer transmissions in the downlink direction, which is possible with affordable equipment for less than $ 1,400. . Furthermore, the adversary can decrypt the recorded traffic up to the encryption data (PDCP) when it has learned the configuration of the targeted eNodeB radio. However, our attacker model does not require the retention of any valuable key victim material. The second stage requires an Off-TheShelf (COTS) commercial telephone and knowledge of the victim’s telephone number along with his / her current position (ie, radio cell).
The attacker then compares the encrypted and simple traffic from the second call to extract the cryptographic bits used to encrypt the call. Once it has mastered this so-called “keystream”, the attacker uses it to retrieve the plain text of the target call.
“ReVoLTE attacks utilize the reuse of the same key stream for two consecutive calls within a radio link,” the researchers wrote in a post explaining the attack. “This vulnerability is caused by a base station (eNodeB) implementation flaw.”
The figure below describes the steps involved, and the video below shows ReVoLTE in action:
Limited but practical in the real world
ReVoLTE has its limitations. Matt Green, a Johns Hopkins University professor specializing in cryptography, explained that real-world constraints – including specific codes in use, coding in the way transcoded audio and compression of packet headers – make it difficult to get full plaintext digital of a phone call. Without explanation, the decryption attack will not work. He also said that mainstream calls should be made within about 10 seconds of completing the intended call.
Furthermore, the amount of target call that can be decrypted depends on how long the main call lasts. A main call lasting only 30 seconds will only provide enough mainstream material to recover 30 seconds from the target call. ReVoLTE will also not work when base stations follow the LTE standard that dictates against route reuse. And as already mentioned, the attacker must be in the radio range with the same cell tower as the target.
Despite the limitations, researchers were able to recover 89 percent of the conversations they overheard, an achievement that shows ReVoLTE is effective in real-world environments, as long as base stations incorrectly implement LTE. Required equipment includes (1) commercial telephones that are connected to cellular networks and record traffic, and (2) commercially available Airscope software radios to perform real-time decryption of downlink LTE connection traffic.
“An opponent must invest less than $ 7,000 to create a compound with the same functionality and, ultimately, the ability to decipher downstream traffic,” the researchers write. “While our ReLoLTE downlink is now possible, a more sophisticated adversary can improve attack efficiency by extending the configuration with an uplink sniffer, e.g., WaveJudge5000 from SanJole where we can utilize the same attack vector, and use both directions simultaneously. “
Am I harmed?
In the initial tests, the researchers found that 12 of the 15 randomly selected base stations in Germany reuse key stations, making all VoLTE calls transmitted through their tangibles. After reporting their findings to industry group Global System for Mobile Applications, a test revealed that the affected German carriers had fixed their base stations. With more than 120 providers worldwide and over 1,200 different types of devices supporting VoLTE, it will likely take longer for the eavesdropping vulnerability to disappear completely.
“However, we need to consider a large number of providers worldwide and their large deployments,” the researchers wrote. “It is therefore essential to raise awareness of vulnerability.”
Researchers have released an Android app that will test whether a network connection is sensitive. The application requires a rooted device that supports VoLTE and runs a Qualcomm chipset. Unfortunately, these requirements will make it difficult for most people to use the app.
I emailed AT&T, Verizon and Sprint / T-Mobile to ask if any of their base stations are vulnerable to ReVoLTE. So far none of them have responded. This post will be updated if replies come later.
ReVoLTE builds a seminar study published in 2018 by computer scientists at the University of California at Los Angeles. They found that LTE data was often encrypted in a way that used the same keystream more than once. Using what is known as an XOR operation on encrypted data and related clear traffic, researchers can generate mainstream. With that in hand, it was irrelevant to decrypt the data from the first call.
The figure below shows how ReVoLTE does this:
“The main call will allow the attacker to extract the main stream from the XOR-ing sniffed plaintext traffic of the main call,” the ReVoLTE researchers explained. “The mainstream block is then used to decipher the corresponding encrypted text captured. The attacker thus simply calculates the text of the intended call.”
While ReVoLTE exploits the erroneous implementation of LTE, Johns Hopkins’ Green said some of the blame lies in the sharpness of the standard itself, a shortcoming he compares to “begging the baby not to play with guns”.
“Inevitably, they will do it and terrible things will happen,” he wrote. “In this case, the discharge weapon is a mainstream reassessment attack in which two different messages get XORed with the same stream bytes. This is known to be utterly destructive to the confidentiality of the message.”
Researchers provide some suggestions that mobile providers may follow to solve the problem. Of course, this means not using the same key flow again, but it turns out that it is not as direct as it may seem. A short-term countermeasure is to increase the number of those known as radio carrier identities, but because there are a limited number of these, carriers should also use intercellular deliveries. Normally, these deliveries allow a phone to remain connected while being transferred from one cell to another. Avoiding the use of the integrated key makes the procedure useful for security as well.
“[As] a long-term solution, we recommend specifying mandatory media encryption and integrity protection for VoLTE, ”the researchers write. “This provides long-term mitigation for known issues, e.g., key reuse, and protection of missing integrity in the radio layer, and introduces an additional layer of security.”