ReVoLTE Attack Allows Hackers to Listen in on Mobile Calls

Rare attack on cellular protocol exploits an encryption-implementation flaw at base stations to record voice calls.

Researchers have discovered an attack on the Voice over LTE (VoLTE) mobile communications protocol that can break its encryption and allow attackers to listen in on phone calls.

Dubbed ReVoLTE, the attack — detailed by a group of academic researchers from Ruhr University Bochum and New York University Abu Dhabi — exploits an implementation flaw in the LTE cellular protocol that exists at the level of a mobile base station. ReVoLTE makes use of a predictable keystream reuse, a scenario in encryption in which stream ciphers, or encryption keys, are vulnerable to attack if the same key is used in a predictable fashion.can allow threat actors to recover the contents of an encrypted VoLTE call.

“Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources,” researchers David Rupprecht, Katharina Kohls, Thorsten Holz and Christina Pöpper wrote, in a paper detailing the attack.”

The attack is novel in that standard cellular protocols typically aren’t targeted for hacking because researchers “never have the energy to deal with” the legwork involved of untangling the pages of documentation about the standard itself, according to cryptographer and Johns Hopkins University Professor Matthew Green.

“Moreover, implementing the attacks requires researchers to mess with gnarly radio protocols,” he wrote in a blog post about the research. “And so, serious cryptographic vulnerabilities can spread all over the world, presumably only exploited by governments, before a researcher actually takes a look at them.”

Every now and then, however, there’s an exception, and ReVoLTE is one of them, he said.

How ReVoLTE Works

The attack leverages the use of encryption at the mobile cell tower, by sniffing the encrypted radio traffic of a call someone makes within the cell of a base station that uses vulnerable encryption methods, researchers wrote.

Shortly after this attack, the attacker can call the person who made the call that was compromised, and engage him or her in conversation. This allows the attack to sniff the encrypted radio traffic of that phone call, and record the unencrypted sound. The call needs to be made using the same base station that has vulnerable encryption, researchers noted.

The attacker can then compare the two calls and break the encryption, which allows them to recover the previous conversation between the victim and another person. However, the attacker needs to keep the victim on the phone for as long as the length of a targeted call if the entire conversation is to be decrypted, researchers noted.

“The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt,” they wrote. “For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.”

Researchers said they conducted real-world tests of the method on carrier base stations and found that it affects multiple mobile operators. They have notified the carriers of the vulnerability through the Coordinated Vulnerability Disclosure Program of the GSM Association (GSMA), which oversees and maintains global telephony standards.

“By the time of publication, those vendors should have provided patches, and providers are requested to install and configure them securely,” researchers noted, adding that they tested German mobile operators who installed the patch to ensure the fix functions properly.

However, given the “large number of providers worldwide and their large deployments,” the team hopes to raise awareness of the vulnerability so the issue can be resolved globally, researchers added.

It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.




Suggested articles