ReVoLTE flaw lets hackers spy on encrypted LTE calls by exploiting Voice over LTE (VoLTE) eNodeB flaw
Over the years, Voice over Long-Term Evolution (VoLTE) has emerged as a gold standard for high-speed wireless communication including voice calls on smartphones. Most telecom operators use packet-based telephony service, integrated into the Long Term Evolution (LTE) standard to ensure that their users get the best possible results without call drops or wrong routing. It also helps that VoLTE encrypts data between the user’s smartphone and the network with a stream cipher or flow encryption. The stream cipher/flow encryption generates unique keys for each call to prevent the problem of keystream reuse. Till now, it was thought to be the safest way to make and receive VoLTE calls without somebody spying on the smartphone user.
However, a research team of scientists from Ruhr University Bochum and New York University Abu Dhabi has found that they could exploit a flaw in LTE implementation to recover the contents of an encrypted VoLTE call. The team consisting of David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper have developed a attack method called ReVoLTE which abuses the LTE implementation flaw and lets potential hackers eavesdrop on any VoLTE encrypted call.
What is the ReVoLTE LTE implementation flaw:
The researchers found that a flaw in base station deployment (eNodeB) made the LTE network use the same encryptions keys for two calls within the same radio connection. Further investigation by the researchers revealed that the eNodeB flaw is far more widespread then they expected with the flaw affecting 12 of the 15 base stations they analyzed in Germany.
Once the flaw was determined, the researchers build an exploit called ReVoLTE which abused the eNodeB flaw and made it possible for the researchers to spy on fully encrypted VoLTE calls. The researchers were able to intercept the data during a phone call between User A and User B.
To do so, researchers begin by scanning User A’s encrypted radio traffic which passed to a vulnerable eNodeB base station. After the first call between User A and User B ended, the researchers kept scanning User A’s network. When User A initiated a second phone call, the researchers managed to record the User A’s first encrypted call using the flaw.
For decrypting the target call, the attacker must now compute the following: First, the attacker xors the known plaintext (recorded at the attacker’s phone) with the ciphertext of the keystream call. Thus, the attacker computes the keystream of the keystream call. Due to the vulnerable base station, this keystream is the same as for the target (first) call. In a second step, the attacker decrypts the first call by xoring the keystream with the first call’s ciphertext. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to the victim, the more content of the previous communication he/she can decrypt. For example, if the attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.
Successful exploitation of the ReVoLTE attack depends on many variables. For one, the target User A has to engage in a longish conversation with User B. Secondly, both have to be using a flawed eNodeB base station.
Proof of Concept video:
The researchers have published the PoC exploit of the ReVoLTE flaw here. They have also published an App called Mobile Sentinel which exploits the LTE flaw and can be found on their GitHub page. The App runs only on rooted Android smartphones and requires them to be powered by a Qualcomm chip.
The video of the ReVoLTE flaw is given below:
The researchers informed about the flaw to the Coordinated Vulnerability Disclosure Program, managed by the GSMA Association. The GSMA Association issued an alert in December 2019 and asked all telecom service providers to develop updates for vulnerable base stations. Telecom companies from Germany, where the researchers discovered the flawed base stations, have released updates.
However, not all telecom service providers may not have fixed the flaw and researchers say many base stations around the world may still be vulnerable to the flaw.