I can hear you via VoLTE protocol

August 25, 2020
VoLTE protocol 4g 5g security vulnerability voice calls exploit

Recently concluded experiment by a group of cybersecurity experts exposed the vulnerability of Voice over Long-Term Evolution or VoLTE protocol. This is the same group that unravels security issues with 4G and 5G networks reported in February this year.

Based on their submitted demo evidence, an attacker can easily listen and decrypt previous phone calls made by the victim. This was done through the vulnerability that the group found out in VoLTE technology installed on many base stations by different telecom providers. Since VoLTE promised fast, transparent, and secured communication, the group was able to detect the hole about the keystream security in which the protocols enforced. Though to perform the hack is exceptionally costly, the demo ensures a 100% result as long as all the given requirements are met.

The requirements are limited that (1) the victim and the attacker should be registered on the same vulnerable base station, (2) that the attacker had installed and connected the monitoring app onto the said base station, (3) and that the attacker should establish a call to the victim within 10 seconds after the victim’s call has ended with the same amount of time that the victim stayed on the recent call.

Meeting the requirements is very essential to the whole operation. Being on the same base station with the monitoring application on standby, attackers will know if the victim is on talk mode. They can check the length of time the victim stayed on the phone, which is a vital component of the next phase of the attack. As the VoLTE technology uses keystream ID to secure established communication, the attacker can exploit this before it is automatically changed by the system. Hence, the attacker must establish a connected call to the victim within 10 seconds after the victim hanged upon its original call. This is to ensure that the same keystream is being assigned onto the call that attacker established with the victim. The next phase is to ensure that the time the attacker is on the phone with the victim is the same for a 100% decryption result. Since VoLTE technology transfers data through packets, it is ideal that the same number of packets are filled in for the decryption, else only parts of the victim’s conversation can be retrieved.

The discovered vulnerability has been tested to local base stations and confirmed its accuracy. Later, the recommendation and paperwork have been forwarded to the telecom provider, in which affected providers were able to release a patch update to address the reported loophole. Fortunately, the patch has been completed before the publication of this discovery, otherwise, this can cause a ruckus on its subscribers. In addition to their research, the concerned group able to devise an app that can be installed on an Android system to test base stations around the world that may be susceptible to such attacks. With it, telecom providers can immediately patch up this hole and avoid such intrusion.

About the author

Leave a Reply