LTE calls could be tapped worldwide

Image: © Amir Kaljikovic -
Image: © Amir Kaljikovic –

Four researchers from the Ruhr University Bochum found that LTE calls could be tapped worldwide. Now the security of 5G telephony has also been optimized through her research work.

As the “Spiegel” reported, four IT researchers have discovered a security gap in the mobile network. Katharina Kohls, David Rupprecht and Thorsten Holz from the Ruhr University Bochum and Christina Pöpper from the New York University Abu Dhabi showed how encrypted calls could be recorded and decrypted in the modern cellular network – and that for years.

Calls in the LTE network are affected. For some years now, these calls have been partially processed using the Voice-over-LTE (VoLTE) standard, which should actually encrypt calls.

The scientists managed to break the encryption without the victims having noticed anything. The researchers presented these results as a paper on Wednesday at the “Usenix Security” conference entitled “ReVoLTE”.

In the meantime, the weak point has been resolved, as the industry association GSMA announced. At the end of 2019, the Bochum researchers had already reported to the association about a process that was supposed to solve this problem. But the security gap was also examined in “real life” in several places in Germany and not just in the laboratory. This loophole could be exploited in just three steps.

Three step hack

The first step was to be in the same cell as the victim. LTE radio cells in cities would only be a few hundred meters, but in rural areas it could be a few kilometers.

Then, in the second step, the researchers were able to record a call with the help of a special technique, a very expensive so-called “passive downlink sniffer”. All they needed was the victim’s phone number. But then you would first have an encrypted “data salad”.

In the third step, the researchers then called the victim. During this phone call, the scientists were then able to read out the keys they needed to decode the previously recorded call. The longer the phone call, the better.

According to David Rupprecht, the problem is that the same key is used for multiple calls. So if the second call lasted five minutes, you could decipher five minutes from the first call.

Global vulnerabilities

Because the security gap existed in the basic infrastructure, several LTE networks worldwide could be affected. David Rupprecht told “Spiegel”: “For example, we also received data from South Korea that showed that radio cells there were also susceptible.”

How many people use VoLTE for calls is unclear. The mobile phone companies Vodafone, Telefónica and Deutsche Telekom had confirmed the gaps in the “Spiegel”. These are now completely closed. The four researchers then confirmed that attacks on optimized base stations no longer worked. Thanks to the researchers, security standards for 5G telephony have also been changed in such a way that errors in base stations for 5G can no longer occur.

More information about their work can be found on the researchers’ website.

Image source:

  • Hacker: © Amir Kaljikovic –

Leave a Reply

Your email address will not be published. Required fields are marked *