ReVoLTE Exploit: Hackers can eavesdrop on mobile calls with $7,000 worth of equipment

[Pickles von Brine]

Quote

The emergence of mobile voice calls over the standard known as Long Term Evolution has been a boon for millions of cell phone users around the world. VoLTE, short for Voice over LTE, provides up to three times the capacity of the earlier 3G standard, resulting in high-definition sound quality that’s a huge improvement over earlier generations. VoLTE also uses the same IP standard used to send data over the Internet, so it has the ability to work with a wider range of devices. VoLTE does all of this while also providing a layer of security not available in predecessor cellular technologies.

The attack consists of two main phases: the recording phase in which the adversary records the target call of the victim, and the call phase with a subsequent call with the victim. For the first phase, the adversary must be capable of sniffing radiolayer transmissions in downlink direction, which is possible with affordable hardware for less than $1,400 [1]. Furthermore, the adversary can decode recorded traffic up to the encryption data (PDCP) when she has learned the radio configuration of the targeted eNodeB. However, our attacker model does not require the possession of any valid key material of the victim. The second phase requires a Commercial Off-TheShelf (COTS) phone and knowledge of the victim’s phone number along with his/her current position (i.e., radio cell).
 

The implementation error ReVoLTE exploits is the tendency for base stations to use some of the same cryptographic material to encrypt two or more calls when they’re made in close succession. The attack seizes on this error by capturing the encrypted radio traffic of a target’s call, which the researchers call the target or first call. When the first call ends, the attacker quickly initiates what the researchers call a keystream call with the target and simultaneously sniffs the encrypted traffic and records the unencrypted sound, commonly known as plaintext.

ReVoLTE has its limitations. Matt Green, a Johns Hopkins University professor who specializes in cryptography, explained that real-world constraints—including the specific codecs in use, vagaries in the way encoded audio is transcoded, and compression of packet headers—can make it difficult to obtain the full digital plaintext of a call. Without the plaintext, the decryption attack won't work. He also said that keystream calls must be made within about 10 seconds of the target call ending.

The researchers provide several suggestions that cellular providers can follow to fix the problem. Obviously, that means not reusing the same keystream, but it turns out that's not as straightforward as it might seem. A short-term countermeasure is to increase the number of what are known as radio bearer identities, but because there's a finite number of these, carriers should also use inter-cell handovers. Normally, these handovers allow a phone to remain connected as it transfers from one cell to another. A built-in key reuse avoidance makes the procedure useful for security as well.

Um... Yeah this a problem. The fact someone can snoop a cell network with off the shelf equipment is bad. It puts vital infrastructure at risk. If cell providers can put mitigation in place, that would be a good thing. For now, this is just a scary thing to think about. 



Source

 

[HM-2]

It's obviously not good but there are far easier ways to accomplish the same outcome, like 3G/2G downgrade attacks a la police Stingray devices and the like.

 

The biggest limitation, particularly if you're in an urban area, is actually determining the specific target's call from others in order to record it due to how heavily saturated radio layers are; Moreover the recording phase itself is non-trivial despite the relatively low cost of devices capable of doing it.

 

A lab demonstration of techniques like this and being able to accomplish it in the wild are very different things.

[rcmaehl]

1 hour ago, HM-2 said:

It's obviously not good but there are far easier ways to accomplish the same outcome, like 3G/2G downgrade attacks a la police Stingray devices and the like.

Thankfully(?) most carriers are shutting down 2G and 3G service at the end of the year. Most Android phones should allow you to limit your connections to 4G/LTE only, although you may need to jump through a hoop or two.

[HM-2]

8 minutes ago, BlueScope819 said:

So then how do police stingray devices work? You are saying they can be detected if your phone drops to 3G? I think that would be pretty noticeable.

They're basically 4G jammers- they operate as local base stations, overpower real transmitters within a small local area, and basically pretend they can't carry 4G which forces a device connected to it to downgrade to 3G or 2G. 

[Blade of Grass]

Thankfully this is an exploit of the base-stations, not the phones themselves--so a patch is likely to be made and deployed.

[HM-2]

45 minutes ago, BlueScope819 said:

Ah I see, but then 3G and 2G are vulnerable to certain exploits then I suppose? 

3G and 2G use KASUMI and A5/1 respectively, which are both insecure cryptographic ciphers. KASUMI is an order of magnitude harder to cryptanalyse, but easily possible on a modern desktop computer via a related-key attack within a matter of an hour or so. A5/1 has been broken (in terms of cryptographic security) since about 2002.

[Kisai]

1 hour ago, BlueScope819 said:

So then how do police stingray devices work? You are saying they can be detected if your phone drops to 3G? I think that would be pretty noticeable.

Stingrays only work on 2G(GSM) , not 3G (UMTS)and 4G(LTE). They do so by overpowering the actual GSM tower and spoofing the same one. It's actually rather simple in theory. Also can be built from $1000 in parts. So the 2G GSM interception is a downgrade attack itself.

 

The LTE one described is more of a "copycat" scheme where the target is called and then immediately terminated first. So this is a big redflag if your phone calls get dropped in succession. This can be induced by again, overpowering the radio so it does drop the target's call and then re-establishes it with the same key.

[williamcll]

Sounds like something a secret agent in a van could afford.

[captain_to_fire]

I’d prefer my phone calls sounding crystal clear like a landline call thanks to VoLTE instead of sounding choppy back when 3G networks (especially GSM) would allocate tiny bandwidth for voice because most is used for data.
 

I wouldn’t be so worried about this since it’s not a vulnerability in phones. 

[Results45]

On 8/13/2020 at 12:22 PM, Pickles - Lord of the Jar said:

 

 

So....... it's basically a credit card skimmer but for wireless internet and cellular communications?