The new attack, called ReVoLTE, you can decrypt calls made over 4G. The only thing that an attacker needs to be able to carry out the attack is to be connected to the same antenna as the user who wants to spy. The vulnerability is present in the VoLTE protocol, used to make 4G calls with higher sound quality, lower latency, and almost zero call setup time.
ReVoLTE: so they can spy on a call over 4G
The vulnerability is that mobile operators they typically use the same encryption key to protect different calls made through the same base station. Calls through VoLTE are encrypted by default, and the operators are the ones who choose the encryption keys for each call, which should be unique. The problem is that not all operators follow this to the letter, reusing the encryption key for different calls, or even using predictable algorithms to generate the keys.
Thanks to this, an attacker can record someone else’s conversation and then decipher it at home. To do this, you also need to make a call to the victim of a duration similar to the call you want to spy on. Later, you can compare both conversations, determine the encryption key, and decrypt both calls. In the following video we can see how it works.
The team of researchers analyzed multitudes of antennas at random in Germany, and found that 80% used the same encryption key or a predictable one on each antenna. The failure was reported in December 2019, and the GSMA released updates to the 4G protocol implementation to prevent these failures from occurring. Months later, the researchers ran their tests again, and found that the attack had been patched. They have not said if the ruling also affects 5G beyond 4G.
There is an app to check if an operator is affected
Although the German operators appear to be protected, other operators of the rest of the world still may remain vulnerable. Therefore, so that operators can check if they are affected by the attack, the researchers have launched an app for Android to check their 4G networks. The app can be downloaded from this link on GitHub.
This is not the first time that this team of researchers has discovered an attack of this caliber, since at the beginning of the year they already published the discovery of IMP4GT, which also affected 4G and allowed an attacker to impersonate other users and subscribe to services paid at the expense of those other users. Thus, today’s vulnerability adds to a long list of flaws that have affected the 4G protocol, which is far from invulnerable.