Researchers at Ruhr University Bochum and New York University Abu Dhabi recently revealed that a flaw in the implementation of 4G base stations made it relatively easy to decipher conversations over LTE (Voice over LTE).
Theoretically, the confidentiality of these communications is ensured by a stream-based encryption algorithm, for which the data is encrypted by a series of keys generated as and when. For security, this series should be different for each conversation. But an error in some implementations of 4G base stations resulted in the same set of keys being used multiple times. This opens the door to a decryption attack, which the researchers dubbed “ReVoLTE”.
The first step in this attack is to passively record, using an antenna, the encrypted conversation of a person in a 4G cell. As soon as the target ends his communication, the hacker must call her back from the same cell and start a conversation with her under a false pretext. It turns out that the vulnerable base station will then reuse strictly the same set of encryption keys.
An XOR that’s worth gold
Mathematically, this is very interesting. All that is required is for the attacker to perform an exclusive disjunction (a logical operation also known as “XOR” and “exclusive OR”) between the first conversation – which is encrypted – and the second – which is in the clear. As a result of this calculation, it’s magic, we get the values of the series of encryption keys. With which the hacker can then decipher the secret conversation.
As the keys are generated during the conversation, however, the hacker must hold the leg of his target on the phone as long as possible. In fact, to decipher 5 minutes of the first conversation, the second conversation must also last at least 5 minutes. Certain psychological and rhetorical qualities are therefore required to keep the target in suspense. On the material level, this attack does not require a large investment. The researchers spent $ 7,000 to create their attack platform.
It seems that this flaw was quite widespread. In 2019, researchers randomly tested 15 base stations in Germany and other countries. Of these, 12 were vulnerable. “Since there are only a small number of vendors, which creates large deployments, we believe the number of affected users is significant.”, Emphasize the researchers in their scientific article. Academics have since alerted the standards body GSMA, which has called on base station vendors to patch their products. A similar new test has shown that the base stations have since been successfully patched.
However, we can never be 100% certain. This is why the researchers also developed an application called “Mobile Sentinel” which, installed on a rooted Android smartphone, allows to know whether a base station is vulnerable or not. Rather practical.
Source : revolte-attack.net