{"id":36572,"date":"2020-08-12T16:13:13","date_gmt":"2020-08-12T16:13:13","guid":{"rendered":"http:\/\/80ec743b-121f-45bc-b04a-0e26ad6ec1d2"},"modified":"2020-08-12T16:13:13","modified_gmt":"2020-08-12T16:13:13","slug":"revolte-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/revolte-attack-can-decrypt-4g-lte-calls-to-eavesdrop-on-conversations\/","title":{"rendered":"Re\u00adVoL\u00adTE attack can decrypt 4G (LTE) calls to eavesdrop on conversations"},"content":{"rendered":"
\"ReVoLTE\"<\/span>
<\/span> Image: Rupprecht et al. <\/span><\/figcaption><\/figure>\n

A team of academics has detailed this week a vulnerability in the Voice over LTE (VoLTE) protocol that can be used to break the encryption on 4G voice calls.<\/p>\n

Named ReVoLTE, researchers say this attack is possible because mobile operators often use the same encryption key to secure multiple 4G voice calls that take place via the same base station (mobile cell tower).<\/p>\n

Academics say they tested the attack in a real-world scenario and found that multiple mobile operators are impacted, and have worked with the GSM Association (GSMA), the organization that governs telephony standards, to have the issue resolved.<\/p>\n

What are LTE, VoLTE, and encrypted calls<\/h3>\n

But to understand how the ReVoLTE attack works, ZDNet readers must first know how modern mobile communications work.<\/p>\n

Today, the latest version of mobile telephony standards is 4G<\/a>, also commonly referred to as Long Term Evolution (LTE).<\/p>\n

Voice over LTE (VoLTE<\/a>) is one of the many protocols that make up the larger LTE\/4G mobile standard. As the name suggests, VoLTE handles voice communications on 4G networks.<\/p>\n

By default, the VoLTE standard supports encrypted calls. For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call.<\/p>\n

How the ReVoLTE attack works<\/h3>\n
<\/section>\n

However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law.<\/p>\n

Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key.<\/p>\n

In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls.<\/p>\n

In a real-world scenario, academics say that if an attacker can record a conversation between two 4G users using a vulnerable mobile tower, they can decrypt it at a later point.<\/p>\n

All an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same\/predictable encryption key.<\/p>\n

“The longer the attacker [talks] to the victim, the more content of the previous conversation he or she [is] able to decrypt,” David Rupprecht, one of the academics said.<\/p>\n

“For example, if attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.”<\/p>\n

The attacker can compare the two recorded conversations, determine the encryption key, and then recover the previous conversation. A demo of a typical ReVoLTE attack is available embedded below:<\/p>\n

\n