Call Me Maybe: Eavesdropping encrypted LTE calls with ReVoLTE (2020)

Summary

Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper Ruhr-Universität Bochum & New York University Abu Dhabi Introduction Voice over LTE (VoLTE) is a packet-based telephony service seamlessly integrated into the Long Term Evolution (LTE) standard. By now all major telecommunication operators use VoLTE. To secure the phone calls, VoLTE encrypts the voice data between the phone and the network with a stream cipher. The stream cipher shall generate a unique keystream for each call to prevent the problem of keystream reuse. We introduce ReVoLTE, an attack that exploits an LTE implementation flaw to recover the contents of an encrypted VoLTE call. This enables an adversary to eavesdrop on VoLTE phone calls. ReVoLTE makes use of a predictable keystream reuse. Eventually, the keystream reuse allows an adversary to decrypt a recorded call with minimal resources. We provide an overview of the ReVoLTE attack, the implications, and demonstrate the feasibility of the ReVoLTE attack in a commercial network. Further, we publish an App that allows tech savvy people to track networks down that are still vulnerable. Our work will appear at the 29th USENIX Security Symposium (2020) and all details are available in a pre-print version of the paper. ReVoLTE Attack What does ReVoLTE exploit? The ReVoLTE attacks exploit the reuse of the same keystream for two subsequent calls within one radio connection. This weakness is caused by an implementation flaw of the base station (eNodeB). In order to determine how widespread the security gap was, we tested a number of randomly selected radio cells mainly across Germany but also other countries. The security gap affected 12 out of 15 base stations. How does the ReVoLTE attack work? The ReVoLTE attack aims to eavesdrop the call between Alice and Bob. We will name this call the target or first call. To perform the attack, the attacker sniffs the encrypted radio traffic...