ReVoLTE Attack Allows Eavesdropping of Encrypted 4G (LTE) Calls

Source: Rupprecht et al.

While 4G LTE lets us make encrypted calls, it now has become vulnerable to cyberattacks. Researchers have devised how ReVoLTE attack can allow an attacker to eavesdrop voice calls over LTE by decrypting them.

About ReVoLTE Attack

Voice over LTE (VoLTE) creates a cipher stream between the network and the phone to encrypt call data. It further generates a unique keystream for every call to ensure unique encryption.

By default, 4G LTE (Long Term Evolution) implementation by most telecom companies encrypts voice calls.

However, researchers from Ruhr University Bochum, Germany, and New York University, Abu Dhabi, UAE, found that most of the firms had a faulty implementation of this protocol. Consequently, the calls became vulnerable to ReVoLTE (Reuse encrypted VoLTE traffic) attack.

How It All Happens

Briefly, the problem existed because of the reuse of the keystream in some cases. As observed, the firms would reuse the same keystream for consecutive calls over the same radio network. This opened up the opportunity for an adversary to sniff the encryption key and decrypt calls.

To do so, an attacker would simply have to make a call to the target user while sitting on the same network. The attacker could then exploit the Real-Time Transport Protocol (RTP) that VoLTE uses to transport voice data, to decrypt the encrypted payload. Eventually, the attacker could listen to the actual conversation during the call.

Describing ReVoLTE, the researchers stated,

REVOLTE exploits a keystream reuse that appears when two subsequent calls take place during one active radio connection. In those cases, the packets of the first call are encrypted with the same keystream as the packets of the second call. REVOLTE makes use of this reuse, i.e., the attack recovers the initial keystream by conducting a second call within a short time window after the initial (target) call. Once the keystream is recovered, the attack allows us to decrypt and access the contents of the recorded target call.

For instance, if an attacker wanted to snoop onto the call between Alice and Bob, he would sniff the encrypted traffic from Alice’s calls over a vulnerable base station. Then, making a second call to Alice, shortly after the first call between Alice and Bob ends, would allow the attacker to sniff the data and receive the voice in plaintext.

The longer the attacker would communicate with Alice, the greater the decryption duration of the original call would become feasible.

The following video demonstrates the ReVoLTE attack in a practical scenario.

Patch Deployed Already

Upon discovering the vulnerability, the researchers informed the relevant telecom service providers about the problem via the GSMA Coordinated Vulnerability Disclosure Programme. The disclosure took place back in December 2019, after which, corresponding vendors have deployed patches.

Nonetheless, they have also shared an app “Mobile Sentinel” publicly on GitHub. It’s for all who wish to check the vulnerability of their network to ReVoLTE.

The researchers have described their findings in a white paper that they also presented at the 29th USENIX Security Symposium. Whereas, they have also set up a dedicated website detailing ReVoLTE.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients