Team of academic has detailed this week vulnerability in the voice LTE (VOLTE) protocol that can be used to break the encryption on 4g voice calls. Today in present a new attack called REVOLTE that could let remote attackers break encryption used by voice calls and spy on targeted phone calls.
According to the researchers from Ruhr University Bochum, Germany and New York University, AbuDhabi, UAE found that most of the firms had a faulty implementation of this protocol. We introduce REVOLTE an attack that exploits an LTE Implementation flaw to recover the contents of an encrypted volte call. This enables an adversary to eavesdrop on volte phone calls. Eventually the key stream reuse allows an adversary to decrypt a recorded call with minimal resources.
Today the latest version of mobile telephony standards is 4G, also commonly referred to as long term evolution (LTE).
Voice over LTE (volte) is one of the many protocols that make up the larger LTE/4G mobile standard. As the name suggests, volte handles voice communication on 4g networks.
By default the volte standard supports encrypted calls, for each call, mobile operators must select an encryption key to secure the call. Normally, the stream cipher should be unique for each call.
The REVOLTE attack exploits the reuse of the same key stream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station. In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations.
The REVOLTE attack aims to eaves drop the call between Alice and bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic of Alice within the cell of vulnerable base her in a conversation. We name this second call, or key stream call. For the call the attacker sniffs the encrypted radio traffic of Alice and records the unencrypted sound. For decrypting the target call, the attacker must now compute the following:
First, the attacker xors the known plaintext with the cipher text of the key stream call. Thus, the attacker computes the key stream of the key stream call. Due to the vulnerable base station, this key stream is the same as for the target call. In a second step, the attacker decrypts the first call by xoring the key stream with the first call's cipher text. It is important to note that the attacker has to engage the victim in a longer conversation. The longer he/she talked to victim, the more the content of the previous communication he/she decrypts. For example, if the attacker and victim spoke for five minutes the attacker could later decode five minutes of the previous conversation.
But the researchers say that while German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable. That is why the research tem released today an android app that mobile operators can use to test their 4G networks and base stations and see if they are vulnerable to REVOLTE attacks. Details about the REVOLTE attack are available on a dedicated website the research team published today after presenting their work at the USENIX 29 security conference. A video of the REVOLTE presentation the research team gave at USENIX is available on this page.
The research team behind then REVOLTE attack is the same team who earlier this year discovered the attack on the 4G protocol, a vulnerability that allowed 4G users to impersonate other subscribers and sing up for paid services at another user's expense.
Upon discovering the vulnerability the researchers informed the relevant telecom service providers about the problem via the GSM A coordinated vulnerability disclosure programme. The disclosure took place back in December 2019, after which. Corresponding vendors have deployed patches. The researchers have described their findings in a white paper that they also presented at the 29th USENIX security symposium. Whereas, they have also set up a dedicated website detailing REVOLTE.
Read more breaking news: https://www.isoeh.com/breaking-news.html