The emergence of mobile voice calls over the standard, known as Long Term Evolution, has been a huge hit for millions of mobile phone users around the world. VoLTE, short for Voice over LTE, delivers up to three times the capacity of the previous 3G standard, resulting in high definition sound quality which is an enormous improvement over previous generations. VoLTE also uses the same IP standard used to send data over the Internet, enabling it to work with a wider range of devices. VoLTE does all this while also providing a layer of security that is not available in previous cellular technologies.
Now, researchers have demonstrated a weakness that allows attackers with modest resources to converse on conversations. Their technology, called ReVoLTE, uses a software-defined radio to record the signal that a carrier’s base station transmits to a attacker’s telephone, as long as the attacker is connected to the same cell tower (typically, within a cell tower). a few hundred meters to a few kilometers) and knows the phone number. Because of a bug in the way many carriers implement VoLTE, the attack converts cryptographic scraping data into unencrypted sound. The result is a threat to the privacy of a growing segment of mobile phone users. The cost: about $ 7,000.
So much for safer
“Data confidentiality is one of the central goals of LTE security and a fundamental requirement for trust in our communications infrastructure,” the researchers, from Ruhr University Bochum and the University of New York, wrote in a paper Wednesday was presented at the 29th USENIX Security Symposium. “We have introduced the ReVoLTE attack, which enables an opponent to retrieve and retrieve encrypted VoLTE calls based on an implementation error of the LTE protocol.”
VoLTE encrypts call data as it passes between a telephone and a base station. The base station then decrypts the traffic to allow it to go to any circuit switched part of a cellular network. The base station at the other end will then encrypt the call when it is transferred to the other party.
The execution error that ReVoLTE exploits is the tendency for base stations to use some of the same cryptographic material to encrypt two or more calls when they are made in close succession. The attack addresses this error by recording the encrypted radio traffic of the call of a target, which the researchers call the target as the first call. When the first call ends, the attacker quickly initiates what the researchers call a keystream call and cuts off the encrypted traffic at the same time, recording the unencrypted sound, commonly known as plain text.
The researchers described it as follows:
The attack consists of two main phases: the recording phase in which the opponent registers the target call of the victim, and the call phase with a subsequent call with the victim. For the first phase, the opponent must be able to sniff radiolayer broadcasts in the direction of downlink, which is possible with affordable hardware for less than $ 1,400 [1]. Furthermore, the opponent can decrypt recorded traffic to the encryption data (PDCP) once it has learned the radio configuration of the target eNodeB. However, our attacker model does not require possession of valid key material by the victim. The second phase requires a commercial Off-TheShelf (COTS) telephone and knowledge of the victim’s telephone number along with his / her current position (ie, radio cell).
The attacker then compares the encrypted and plain text traffic of the second call to deduce the cryptographic bits used to encrypt the call. Once in possession of this so-called “keystream”, the attacker uses it to restore the flat text of the target call.
“The ReVoLTE attacks exploit the reuse of the same keystream for two consecutive calls within one radio link,” the investigators wrote in a post explaining the attack. “This vulnerability is caused by a base station implementation error (eNodeB).”
The figure below shows the steps involved, and the video below the figure shows ReVoLTE in action:
Limited, but practical in the real world
ReVoLTE has its limitations. Matt Green, a Johns Hopkins University professor specializing in cryptography, explained that real constraints – including the specific codecs in use, vagaries in the way encoded audio is transcoded, and compression of packet headers – can make it difficult to get the full digital plain text of a call. Without the plain text, the decryption attack will not work. He also said that keystream calls should be made within about 10 seconds after the end of the target call.
In addition, the amount of the target call that can be decrypted depends on how long the keystream call lasts. A keystream call lasting only 30 seconds will only provide enough keystream material to retrieve 30 seconds from the target call. ReVoLTE will also not work if base stations follow the LTE standard that dictates against the reuse of keystreams. And as already mentioned, the attacker must be in radio range of the same cell tower as the target.
Despite the limitations, the researchers were able to repeat 89 percent of the calls they were expecting, a performance that proves that ReVoLTE is effective in real-world settings, as long as base stations implement LTE incorrectly. The required equipment includes (1) commercial off-the-shelf telephones that connect to cellular networks and traffic recorders and (2) commercially available Airscope software radio to perform real-time decoding of LTE downlink traffic.
“An opponent needs to invest less than $ 7,000 to create a setup with the same functionality and, ultimately, the ability to decrypt downlink traffic,” the researchers wrote. “While our downlink ReVoLTE is already possible, a sophisticated adversary can improve attack efficiency by expanding the setup with an uplink sniffer, such as the WaveJudge5000 by SanJole, where we can exploit the same attack vector, and access it at the same time. get in both directions. “
Am I vulnerable?
In initial tests, the researchers found that 12 out of 15 randomly selected base stations in Germany reused keystreams, making all VoLTE calls vulnerable through them. After reporting to the Global System for Mobile Applications sector group, a retest found that the affected German carriers had their base stations. With more than 120 providers around the world and more than 1,200 different device types supporting VoLTE, it will probably take more time for the weak recovery to be completely eliminated.
“However, we need to consider a large number of providers worldwide and their great commitment,” the researchers wrote. “It is therefore important to raise awareness about the vulnerability.”
The researchers have released an Android app that will test if a network connection is vulnerable. The app requires a rooted device that supports VoLTE and runs a Qualcomm chipset. Unfortunately, these requirements will make it difficult for most people to use the app.
I emailed AT&T, Verizon and Sprint / T-Mobile to inquire if any of their base stations are vulnerable to ReVoLTE. So far, none of them have responded. This post will be updated as answers come later.
“Different destructive”
ReVoLTE builds on a seminal research paper published in 2018 by computer scientists at the University of California, Los Angeles. They found that LTE data was often encrypted in a way that used the same keystream more than once. Using what is known as an XOR operation on the encrypted data and the corresponding plain-text traffic, the researchers were able to generate keystream. With that in hand, it was trivial to decrypt the data of the first call.
The figure below shows how ReVoLTE does this:
“The keystream call allows the attacker to extract the keystream by XOR-injecting the snippet traffic with the plaintext of the keystream call,” ReVoLTE researchers explained. The keystream block is then used to decrypt the corresponding fixed target code text. The attacker thus calculates the flat text of the target call. ”
While ReVoLTE exploits the wrong implementation of LTE, Johns Hopkins told Green that some of the blame lies in the transparency of the standard itself, a shortcoming he compares to “begging toddlers not to play with a gun.”
“Involuntarily they will do that and terrible things will happen,” he wrote. “In this case, the dismissal pistol is a keystream re-attack in which two different messages get XORed with the same keystream bytes. This is known to be utterly destructive of message confidentiality. ”
The researchers provide several suggestions that cellular providers can follow to solve the problem. Of course, this does not mean that the same keystream will be reused, but it turns out that this is not as simple as it may seem. A short-term countermeasure is to increase the number of what are known as radio bearer identities, but because there is a definite number of them, bearers must also use inter-cell transmissions. Normally, these handovers can stay connected to a phone as it transfers from one cell to another. A built-in prevention of key reuse also makes the procedure useful for security.
“[As] a long-term solution, we recommend adhering to mandatory media encryption and integrity protection for VoLTE, ”the researchers wrote. “This provides long-term mitigation for known issues, such as re-use, and lack of integrity protection on the radio layer, and introduces an additional layer of security.”