The emergence of mobile phone calls over a standard known as Long Term Evolution has benefited millions of mobile phone users around the world. VoLTE, short for Voice over LTE, offers three times the capacity of the previous 3G standard, resulting in high definition sound quality, a huge improvement over previous generations. VoLTE also uses the same IP standard used to send data over the Internet, so it is capable of working with a wider variety of devices. VoLTE does all of this while at the same time providing a layer of security not found in predecessor mobile technologies.
Now, researchers have demonstrated a weakness that allows attackers with modest resources to eavesdrop on calls. Their technique, known as ReVoLTE, uses a software-defined radio to pull the signal that the carrier̵7;s base station transmits to a phone chosen by the attacker, as long as the attacker companies are connected to the same cell tower (usually, within a few hundred meters to several kilometers) and know the phone number. Due to a bug in the way many carriers deploy VoLTE, the attack converted encrypted data into unencrypted audio. The result is an increasing threat to the privacy of a portion of mobile phone users. Cost: about $ 7,000.
Lots to be safer
Researchers from Ruhr Bochum University and New York University wrote in an article presented Wednesday at the 29th USENIX Security Symposium: “Data security is one of the central goals of LTE security and is the fundamental requirement to trust in our communication infrastructure. “We introduced the ReVoLTE attack, which allows an adversary to eavesdrop and recover encrypted VoLTE calls based on an implementation vulnerability of the LTE protocol.”
VoLTE encrypts call data as it transmits between the phone and the base station. The base station then decrypts the traffic to allow it to be transmitted to any switching part of the cellular network. The base station on the other end then encrypts the call when it is transmitted to the other party.
The deployment error that ReVoLTE exploits is a tendency for base stations to use several of the same cryptographic documents to encode two or more calls as they are made consecutively. The attack fixes this by capturing the encrypted radio traffic of the target’s call, which the researchers call the first or target’s call. When the first call ends, the attacker quickly initiates what the researchers call the keystream call and simultaneously sniffs the encrypted traffic and records the unencrypted audio, often called is the plaintext.
Researchers have described it this way:
The attack consists of two main phases: the recording phase in which the enemy records the victim’s target call and the call phase with a follow-up call to the victim. For the first stage, the competitor must be able to sniff the radiation processor’s lines in a downlink direction, which is possible with affordable hardware for under $ 1,400. . Furthermore, an adversary can decrypt the traffic recorded to encrypted data (PDCP) once she learns the radio configuration of the targeted eNodeB. Our attacker model, however, does not require the possession of any valid victim’s critical documents. The second stage requires to have a Commercial Off-TheShelf (COTS) phone and know the victim’s phone number along with his / her current location (ie wireless cell phone).
The attacker then compares the encrypted traffic and the clear text from the second call to deduce the cryptographic bits used to encrypt the call. After possessing this so-called “keystream, the attacker will use it to restore the plaintext of the target call.”
“ReVoLTE attacks exploit the reuse of the same keystream for the next two calls in a radio connection,” the researchers wrote in a post explaining the attack. “This weakness is caused by the base station deployment error (eNodeB).”
The figure below depicts the steps involved, and the video below shows the ReVoLTE in action:
Limited, but practical in the real world
ReVoLTE has its limitations. Matt Green, Johns Hopkins University professor, specializing in cryptography, explains that real-world limitations – including the specific codecs being used, deviations in the way the audio is encoded, and compression of packet headers – can make it difficult to obtain the full digital plaintext of a call. Without the plaintext, the decryption attack won’t work. He also said that keystream calls must be made in about 10 seconds after the target call ends.
In addition, the number of destination calls that can be decoded depends on how long the lock stream call takes. A keystream call lasting only 30 seconds would provide just enough documentation for the keystream to recover 30 seconds of the target call. ReVoLTE will also not function when base stations comply with regulatory LTE standards against the reuse of key streams. And as mentioned, the attacker must be within the radio range of the same cell tower as the target.
Despite the limitations, researchers were able to revert 89% of the chats they eavesdropped on, an achievement that proves that ReVoLTE is effective in real world installations, as long as the base stations deploy. LTE inaccurate. Required equipment includes (1) commercially available telephone connecting to the mobile network and recording traffic and (2) commercially available Airscope software radio to perform time decoding. performance of LTE downlink traffic.
A competitor needs to invest less than $ 7,000 to create a setup that functions and, ultimately, the ability to decrypt downlink traffic, the researchers wrote. “While our downlink ReVoLTE was viable, a more sophisticated enemy could improve the effectiveness of the attack by extending the setup with the uplink sniffer, e.g. SanJole’s WaveJudge5000 where we can exploit the same attack vector and access both directions simultaneously. “
Am I hurt?
In early tests, researchers found that 12 out of 15 randomly selected base stations in Germany reused key streams, making all VoLTE calls passing through them vulnerable to attack. . After reporting their findings to the Global Systems industry group for Mobile Applications, a re-examination revealed that affected German carriers had repaired their base stations. With more than 120 carriers around the world and more than 1,200 different types of devices supporting VoLTE, it will likely take longer for the eavesdropping weakness to be completely removed.
“However, we need to look at the large number of suppliers worldwide and their large implementations,” the researchers wrote. “Therefore, it is important to raise vulnerability awareness.”
Researchers have released an Android app that checks whether the network connection is vulnerable to attacks. This app requires a rooted device that supports VoLTE and runs a Qualcomm chipset. Unfortunately, those requirements will make it difficult for most people to use the app.
I emailed AT&T, Verizon and Sprint / T-Mobile to ask if any of their base stations were vulnerable to ReVoLTE attacks. So far none of them have responded. This post will be updated if reply comes later.
ReVoLTE is based on a large research paper published in 2018 by computer scientists at the University of California in Los Angeles. They found that LTE data is typically encrypted using the same key stream more than once. By using XOR operations on the encrypted data and corresponding plaintext traffic, the researchers can generate the key stream. With that in hand, decrypting data from the first call is trivial.
The figure below shows how ReVoLTE does this:
The keystream call allows an attacker to extract the keystream by XOR-ing the traffic evaluated with the keystream call’s plaintext, the ReVoLTE researchers explained. “The keystream block is then used to decode the captured corresponding target ciphertext. Therefore, the attacker will compute the plaintext of the target call. “
While ReVoLTE exploits an incorrect implementation of LTE, Johns Hopkins’ Green says some of the flaws lie in the ambiguity of the standard itself, an omission that he likens to “begging toddlers not to play. with guns. “
“It can’t be helped, they’ll do it and terrible things will happen,” he wrote. “In this case, the stun gun is a lock stream reuse attack where two different messages are XORed with the same lock stream byte. This is known to be utterly ruthless to the security of messages. “
The researchers gave some suggestions that mobile carriers could follow to fix the problem. Obviously, that means not reusing the same line of keys, but it turns out it’s not as simple as it sounds. A short-term countermeasure is to increase the amount of what is known as radio carrier identification, but since there is a finite number of these, service providers should also use transfer between carriers. umbrella. Typically, this handover allows the phone to stay connected as it moves from cell to cell. The built-in key reuse avoidance feature also makes the process useful for security.
“[As] As a long term solution, we recommend specifying the required media encryption and integrity protection for VoLTE, ”the researchers wrote. “This helps to reduce known problems in the long term, eg key reuse and lack of integrity protection on the radio layer and introduces an additional layer of security.”