ReVoLTE: decrypting LTE calls to eavesdrop on conversations
A team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law: they supports encrypted voice calls, but many calls are encrypted with the same encryption key.
The research, published by a team composed by David Rupprecht, Thorsten Holz, Katharina Kohls and Christina Pöpper (the same researcher of IMP4GT research), shows how an attacker can record a conversation between two 4G users using a vulnerable mobile tower, then decrypt it at a later point.
In order to use this technique, named ReVoLTE, an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same/predictable encryption key.
Researchers say that while German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable, so they released an Android app that mobile operators can use to test their 4G networks and base stations and see if they are vulnerable to ReVoLTE attacks. The app has been published on GitHub [1].
More technical details about the attack are available on a dedicated website [2].
Researchers also published a video of the ReVoLTE presentation:
Finally, a technical paper detailing the ReVoLTE attack, titled "Call Me Maybe: Eavesdropping Encrypted LTE Calls With ReVoLTE", is available for download as PDF [3].