Re­VoL­TE attack can decrypt 4G (LTE) calls to eavesdrop on conversations

ReVoLTE
Image: Rupprecht et al.

A team of academics has detailed this week a vulnerability in the Voice over LTE (VoLTE) protocol that can be used to break the encryption on 4G voice calls.

Named ReVoLTE, researchers say this attack is possible because mobile operators often use the same encryption key to secure multiple 4G voice calls that take place via the same base station (mobile cell tower).

Academics say they tested the attack in a real-world scenario and found that multiple mobile operators are impacted, and have worked with the GSM Association (GSMA), the organization that governs telephony standards, to have the issue resolved.

What are LTE, VoLTE, and encrypted calls

But to understand how the ReVoLTE attack works, ZDNet readers must first know how modern mobile communications work.

Today, the latest version of mobile telephony standards is 4G, also commonly referred to as Long Term Evolution (LTE).

Voice over LTE (VoLTE) is one of the many protocols that make up the larger LTE/4G mobile standard. As the name suggests, VoLTE handles voice communications on 4G networks.

By default, the VoLTE standard supports encrypted calls. For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call.

How the ReVoLTE attack works

However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law.

Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key.

In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls.

In a real-world scenario, academics say that if an attacker can record a conversation between two 4G users using a vulnerable mobile tower, they can decrypt it at a later point.

All an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same/predictable encryption key.

“The longer the attacker [talks] to the victim, the more content of the previous conversation he or she [is] able to decrypt,” David Rupprecht, one of the academics said.

“For example, if attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.”

The attacker can compare the two recorded conversations, determine the encryption key, and then recover the previous conversation. A demo of a typical ReVoLTE attack is available embedded below:

Researchers say that the equipment to pull off a ReVoLTE attack costs around $7,000. While the price might seem steep, it is certainly in the price range of other 3G/4G mobile interception gear, usually employed by law enforcement or criminal gangs.

Issue reported to the GSMA, patches deployed

The research team said it conducted thorough research on how widespread the problem was in real-world deployments of 4G mobile cell towers.

Researchers analyzed a random selection of base stations across Germany and said they found that 80% were using the same encryption key or a predictable one, exposing users to ReVoLTE attacks.

Academics said they reported the issues to both German mobile operators and the GSMA body back in December 2019, and that the GSMA issued updates for the 4G protocol implementation to address and prevent ReVoLTE attacks.

“We then tested several random radio cells all over Germany and haven’t detected any problems since then,” Rupprecht said today.

App available for mobile telcos

But researchers say that while German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable.

That is why the research team released today an Android app that mobile operators can use to test their 4G networks and base stations and see if they are vulnerable to ReVoLTE attacks. The app has been open-sourced on GitHub.

Details about the ReVoLTE attack are available on a dedicated website the research team published today after presenting their work at the USENIX 29 security conference. A video of the ReVoLTE presentation the research team gave at USENIX is available on this page.

A scientific paper detailing the ReVoLTE attack is also available for download as PDF from here and here. The paper is titled “Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE.”

The research team behind the ReVoLTE attack is the same team who earlier this year discovered the IMP4GT attack on the 4G protocol, a vulnerability that allowed 4G users to impersonate other subscribers and sign up for paid services at another user’s expense.

Today’s ReVoLTE disclosure is the latest in a long list of vulnerabilities identified in the 4G/LTE protocol over the past years. Previous findings were also published in March 2019February 2019July 2018June 2018March 2018June 2017July 2016, and October 2015.

READ MORE HERE