Privacy on the line: Boffins break VoLTE phone security

Boffins based in China and the UK have devised a telecom network attack that can expose call metadata during VoLTE/VoNR conversations.

Voice over LTE (VoLTE) is a packet-based telephony service that's part of the LTE standard and is widely used by major telecom providers. It's similar to Voice over New Radio (VoNR), a 5G flavor of the technology.

VoLTE/VoNR – or just VoLTE for the sake of avoiding alphanumeric jumbles – encrypts voice data sent between phone and network using a stream cipher. Three years ago, it was shown to be vulnerable to a reused key attack. This allowed researchers to develop the ReVoLTE attack, which exposes encrypted LTE calls. Various other explorations have demonstrated that the data exchanged between phones and cell towers continues to be poorly protected at both the physical layer and the data layer.

Researchers Zishuai Cheng and Baojiang Cui, with the Beijing University of Posts and Telecommunications, and Mihai Ordean, Flavio Garcia, and Dominik Rys, with the University of Birmingham, have found a way to access encrypted call metadata – VoLTE activity logs that describe call times, duration, and direction (incoming or outgoing) for mobile network conversations.

In a paper titled "Watching your call: Breaking VoLTE Privacy in LTE/5G Networks," they describe how they were able to use this metadata to map phone numbers – undetectably – to LTE and 5G-SA anonymized network identifiers.

Network operators give subscribers SIM cards with a unique identifier – referred to as an IMSI (International Mobile Subscriber Identity) under 4G and SUPI (Subscription Permanent Identifier) under 5G.

When subscribers connect to the network, they are assigned temporary identifiers – called Temporary Mobile Subscriber Identity (TMSI) under 3G systems and Globally Unique Temporary Identity (GUTI) on 4G and 5G systems. The 5G standard also supports a Subscription Concealed Identifier (SUCI) as a way to thwart IMSI catchers – fake cell towers used to surveil mobile phone users.

All of these systems – TMSI, GUTI and SUCI – are meant to anonymize users on the network, so that anyone intercepting call data will be unable to associate it with a specific real-world SIM card or subscriber. After the initial connection phase, physical layer configuration parameters are exchanged via encrypted messages so any attacker must continually guess those physical layer parameters to keep the connection alive.

But these protections turn out to be inadequate due to the static nature of certain network parameters (such as cqi-FormatIndicatorPeriodic), which helps the attacker make inferences about the network interaction. While network messages cannot be read directly due to encryption, some can be inferred from their length and position in the protocol.

The technique involves capturing a lot of network traffic – 60 hours of data per carrier. But the researchers were able to do so by designing a mobile-relay adversarial node – a miscreant-in-the-middle (MITM) attack similar to an IMSI catcher – that relies on two independent physical layer radio connections (USRP B210 SDR) that exchange messages with the victim's phone and with the network base station.

The researchers observe that VoLTE traffic ought to be protected from scrutiny … but isn't.

"Targeting VoLTE traffic specifically, for any reason, including recording, should not be possible when using EEA2 encryption algorithms which rely on non-deterministic encryption schemes such as AES-CTR," they explain. "This however is not the case. By looking at the non-encrypted MAC sub-header at our mobile relay, the attacker can learn the Logical Channel ID (LCID) of the sub-PDU (Protocol Data Unit). Because VoLTE traffic uses specific LCID 4 and LCID 5 it can be directly targeted by the adversary."

• Massive telecom outage in Japan kicks 40 million mobile users offline
• Microsoft pushes ahead adapting Azure for 5G telecoms after swallowing AT&T's Network Cloud
• Living up to its 'un-carrier' slogan, T-Mobile US stops carrying incoming calls, data in nationwide outage
• Overbudget and behind schedule, UK's Emergency Services Network reaches 500th base station milestone

The two attacks described in the paper – network activity monitoring and identity recovery – worked rather well, the researchers report. They claim they were able to map VoLTE operations 83.7 percent of the time, and 100 percent of the time when similarly sized operations were analyzed for the context in which they're allowed.

Mapping a phone's anonymized identity (SUCI and GUTI) to a real-world identity becomes a matter of the adversary making a VoLTE call to the victim (which does not need to be answered) to send VoLTE traffic between the device and the MITM device. The traffic is then analyzed to obtain the victim's VoLTE logs and is combined with call details available to the attacker to link the phone number to the victim's network identity. There's also an active mapping step required when the Evolved Packet-switched System (EPS) comes into play.

Cooper Quintin, staff technologist at the Electronic Frontier Foundation, told The Register in an email that while this attack looks more esoteric than other techniques that can be employed with IMSI catchers, it's a reminder that 5G isn't the security fix that it has been made out to be.

"This paper adds to the preponderance of research indicating that there are fundamental security and privacy flaws in the protocols underlying mobile communication," said Quintin. "The mobile industry should take this seriously and begin working with academics, security researchers, and cryptographers from the beginning as they work towards designing the next generation of mobile technology. Moreover, mobile standards bodies such as 3GPP need to ensure that public interest groups and security researchers have as much voice in the room as corporate interests do." ®