VoLTE Encryption decrypted by ReVoLTE

VoLTE Encryption – New Attack Decrypts it to spy on Phone Calls!!

VolTE Encryption can be decrypted by a new attack called “ReVolTE” to spy on Phone calls, this new discovery was made by a group of Academic Researchers from Ruhr University Bochum who previously were in the Breaking News for discovering the “Security issues” in 4G and 5G Networks.

 How does ReVoLTE breaks VoLTE encryption?

First thing you need to understand is the difference between proactive and passive approach of any cyber attack.

In a proactive approach, the attack can aggressively exploit every possible flaws and various loopholes. However, passive approach is different in that the attack takes advantage of weak implementations an leverages it so that the attacker can get the access.

ReVoLTE uses the same passive approach as it leverages the weak implementation  of VoLTE protocols which is used by most telecommunication services in practice. This allows the attacker to spy over the encrypted communications happening with the targeted person. This protocol is used as a standard communication protocol for Mobile/Smartphones, Wearable, Internet of Things etc..

The weakness in the VoLTE Keystream..

Now before understanding the weakness in the VoLTE keystream, it is quite important to know what keystream really means. Keystream in technology world is used in Cryptography.

That means in VoLTE protocol it is used to encrypt the communications, hence the definition of keystream in the world of cryptography is this:-

In cryptography, keystream is a stream of random characters that sticks with “Plain Text” and makes it unable to read by producing a “Cypher Text” or an encrypted message.

The working of VoLTE Protocol & how the new attack takes advantage of it

In the VoLTE (Voice over LTE) Protocol, most of the telecommunications services or operators uses same keystreams for two subsequent phone calls within one radio connection to encrypt the data transmitted between the phone and the phone tower. Hence in “ReVoLTE” attack this reuse of keystreams is exploited to break the encryption of phone call and spy over them.

But there is something that you should have right to know..

Reuse of keystreams is not new and in fact it was first discovered by Mohammad Taqi Raza & Songwu Lu in the year 2018 and you can read their research paper here – On key installation attack over 4G & 5G networks.

Hence because of this you might wonder that if reuse of keystreams was discovered in 2018, then on what basis we are considering this “ReVoLTE” attack as a new cyber attack?

Well that’s because, Mohammad Taqi Raza & Songwu Lu sure discovered that keystreams can be reused, however, it was not practically proven. But on the other hand “ReVoLTE attack” makes their discovery practical.

Practical use of attack to break VoLTE encryption explained

In order to carry out this attack practically and decrypt the VoLTE encryption, it is important to make sure that the attacker must be connected to the same phone tower (base station) where the targeted victim is connected to, so now once that is done, the attacker just has to use a sniffer tool to monitor and record the call make by the targeted user.

This is basically the first phase of ReVoLTE attack.

Now in the second phase, once the targeted victim hangs the call that he or she made, the attacker on the other side just have to call the victim within a window of 10 seconds. This would force a vulnerable network to initiate a complete new phone call between the attacker and victim on the same radio connection used by the targeted victim for his previous call.

Once the attacker is connected to victim, the attacker only needs to engage the victim in a conversation and record it in a plain text. Which would allow the attacker to reverse engineer the keystream for the previously recorded call which was made by the victim.

Security researchers who carried out this research said that XOR-ing the keystreams with corresponding encrypted frame of the targeted call made by the victim captured in the first phase, decrypts its content.

However in order for the attacker to decrypt the content of the call made in the first phase, and in second phase he need to initiate the conversation and make phone call longer compared to the call made by victim in the first phase.

This is because the attacker need to generate sufficient amount of keystream data compared to the call made by the victim to someone else in phase one. If the sufficient amount of data is not generated then only part of the conversation will be decrypted after reverse engineering the first call made by victim.

For every call over a radio connection, a complete brand new keystream is generated however, this generated keystream stays on the connection for a while after the call ends and then it gets destroyed, if the attacker manages to call the victim within that particular attack window, he/she is able to record the call in plain text as well as generate the similar amount of key stream data.

Once, a sufficient amount of data is generated the attacker hangs up the call and now can use that generated keystream data to decrypt the previously recorded call. So in other words since both the calls are encrypted using same keystream data, it becomes easier for the attacker to decrypt the call.

You can watch the video demonstration.


Final take

The economic feasibility of this attack according to the researchers is less then $7000 i.e it will cost less approx or even less than $7000 for the attackers to setup this attack.

Security researchers randomly selected the telecommunication services randomly and it was found that 12 out of 15 towers were vulnerable to attack in Germany, however, the gap of security widens based on different countries. Researchers informed the respected companies about the ReVoLTE attack in December 2019 and the companies acknowledged and even released the patch for the attack.

Source – Revolte-attack.net