ReVoLTE – an attack exploiting the reuse of the same keystream by vulnerable base stations
A group of academics from Ruhr University Bochum and New York University Abu Dhabi have
presented a new attack called ‘ReVoLTE’, that could let remote attackers break the encryption used by VoLTE voice calls and spy on targeted phone calls.
The crux of the problem is that most mobile operators often use the same keystream for two subsequent calls within one radio connection to encrypt the voice data between the phone and the same base station, i.e., mobile phone tower. Thus, the new ReVoLTE attack exploits the reuse of the same keystream by vulnerable base stations, allowing attackers to decrypt the contents of VoLTE powered voice calls.
How does it work?
To initiate this attack, the attacker must be connected to the same base station as the victim and place a downlink sniffer to monitor and record a ‘targeted call’ made by the victim to someone else that needs to be decrypted later, as part of the first phase of ReVoLTE attack.
Once the victim hangs up the ‘targeted call,’ the attacker is required to call the victim, usually within 10 seconds immediately, which would force the vulnerable network into initiating a new call between victim and attacker on the same radio connection as used by previous targeted call. This is the case when the keystream reuse occurs when the target and keystream call use the same user-plane encryption key.
Once connected, as part of the second phase, the attacker needs to engage the victim into a conversation and record it in plaintext, which would help the attacker later reverse compute the keystream used by the subsequent call.
According to researchers, XOR-ing the keystreams with the corresponding encrypted frame of the targeted call captured in the first phase decrypts its content, allowing attackers to listen to what conversation its victim had in the previous phone call. As this results in the same keystream, all RTP data is encrypted in the same way as the voice data of the target call. However, the length of the second call should be greater than or equal to the first call in order to decrypt each frame; otherwise, it can only decrypt a part of the conversation.
The team used the downlink analyzer Airscope by Software Radio System to sniff the encrypted traffic and three Android-based phones to obtain the known-plaintext at the attacker’s phone. It then compared the two recorded conversations, determined the encryption key, and finally decrypted a portion of the previous call. You can see the demo video of the ReVoLTE attack, which, according to the researchers, could cost less than $7000 to attackers for setting up the attack and, eventually, decrypting downlink traffic.
Researchers—David Rupprecht, Katharina Kohls and Thorsten Holz of RUB University Bochum and Christina Pöpper of NYU Abu Dhabi—have also released a dedicated website and research paper PDF, titled “Call Me Maybe: Eavesdropping Encrypted LTE Calls With REVOLTE,” detailing the ReVoLTE attack, where you can find more details.