© RUB, Marquard
Author profile picture

Phonecalls over the 4G network are still susceptible to eavesdropping even though they are encrypted. Researchers from the Horst Görtz Institute for IT Security (HGI) at the Ruhr University of Bochum, Germany, have succeeded in decrypting the content of each phone call when they were on the same radio cell as the victim. They made use of an error in the base stations. The manufacturers have now closed the security leak.

The results were published by the HGI team led by David Rupprecht at the 29th Usenix Security Symposium, which is being held online until tomorrow.

Reused keys identified as vulnerabilities

The problem occurs when using Voice over LTE. This is the global telephone standard for almost all mobile phone calls. When two people call each other, a key is generated that encrypts the phone call.

“The problem was that the same key was also reused for other phone calls,” David Rupprecht explains. Therefore, if an attacker would call one of the two people shortly after their call and in the meantime record the encrypted traffic from the same radio cell, they would get hold of the same key that was used to secure the previous call.

“The attacker has to engage the victim in a conversation,” David Rupprecht goes on to explain. “The longer the attacker talked to the victim, the more content of the previous conversation he or she was able to decrypt.” To illustrate, if an attacker and the victim spoke for five minutes, the attacker could later decode five minutes of the previous call.

Searching via an app for affected base stations

In order to determine the extent of the security issue, the IT experts randomly tested base stations throughout Germany. The problem occurred in 80% of the radio cells tested. In the meantime, the manufacturers and mobile phone providers have updated the base station software in order to resolve the problem.

David Rupprecht: “We subsequently tested several random radio cells all over Germany and haven’t detected any more problems since then,” he notes. Nevertheless, it has not been ruled out that there are still radio cells somewhere in the world where this issue occurs.

The group from Bochum has developed an app for Android devices in order to track them down. Technically skilled people can use it to help search for radio cells around the world that still have the security bug and report it to the HGI team. The researchers forward the information to the global association of all mobile phone providers – GSMA – which is responsible for ensuring that the base stations are updated. The researchers provide further information about the app on the www.revolte-attack.net website.

“Voice over LTE has been in use for six years,” David Rupprecht states. “We’re unable to verify whether attackers have exploited the security gap in the past.” In any event, he is advocating that the new standard for mobile phones should be adapted so that the same problem will no longer recur with the setting up of 5G base stations.

Publication: revolte-attack.net/media/revolte_camera_ready.pdf

Use this link to read other IO articles about 5G networks.