Security Week 34: VoLTE Transcript

An interesting study was presented at the 29th USENIX Security Conference on decrypting mobile calls when using the VoLTE communication protocol . This relatively recent technology involves the transmission of voice in the form of a data stream in LTE networks. Researchers from Germany and the United Arab Emirates discovered a software vulnerability for base stations, which allows decrypting data in a very non-trivial way.







The ReVoLTE attack became possible due to an error in the implementation of the voice conversation encryption protocol. If a subscriber makes or receives two calls in a row, a common stream cipher key is used for them. This feature was found in an earlier study, but the new work suggests a practical attack. It looks like this: the attacker intercepts the encrypted data stream, then makes a second call to the victim's phone - this allows determining the encryption key. Using the received data, the attacker decrypts the contents of the first call.





Sources: news , research site , scientific work in PDF.



The purpose of the second call initiated by the attacker is to create conditions for re-using the key. Both calls must be made within the same data session, and, judging by the data from the scientific study, they must be made when connected to the same base station with an interval of no more than 10 seconds. During the second call, the attacker records its content. He then compares this open data with the intercepted encrypted version of the same call, thereby calculating the key. Since the stream of keys is the same, it becomes possible to decrypt the contents of the first call.



The attack turned out to be beautiful, although not very practical. There are too many conditions for successful deciphering of negotiations, although nothing is impossible here. The moment of a responsible conversation, which needs to be intercepted, needs to be known in advance, then to have time to call the victim back. And most importantly, as in Hollywood stories about telephone terrorists, you need to keep the victim in touch as long as possible. The amount of information that can be overheard will directly depend on the duration of the second call. That is: we talked with the victim for five minutes, deciphered five minutes of secret negotiations. Yes, among other things, the victim must be connected to the vulnerable base station, and the attacker must be nearby to intercept the radio transmission. After testing 15 of the nearby base stations, the researchers found that 12 of them were vulnerable.The possibility of an attack is closed by updating the software on the base station. To check the nearest BS, a mobile application has been posted on the researchers' website.



What else happened



Lots of patches. Microsoft is closing 120 vulnerabilities, including two critical ones, which are actively used in real attacks. One of them affects the Internet Explorer browser, the second - the system for validating digital signatures of executable files.



Intel closes a serious vulnerability in the Emulex Pilot 3 controller - it is used for monitoring in a number of motherboards, single-board modules and server hardware. A problem with the controller firmware allows remote access to the KVM console.



Serious vulnerabilities are patched in Adobe Acrobat and Reader. Fixed a bug in browsers based on the Chromium engine, which simplifies malicious attacks on users.



But the patch of last year's serious vulnerability in the software for the vBulletin forums, as it turned out, can be circumvented and implemented a script for remote execution of arbitrary code without authorization.



Closed vulnerability in fiche to search for a lost Samsung phone. A detailed description of the problem is in this presentation at the DEF CON conference. On the topic of vulnerabilities in Samsung smartphones, a large study has been published on problems in the processor of the proprietary QMage image format.



All Articles