Can You Overhear Me Now?

Most telecommunications providers offer a service termed Voice over LTE (VoLTE), which allows wireless customers to place voice calls over an LTE connection instead of an older legacy voice network. The deployment of VoLTE is rapidly growing for a number of reasons, including the increased bandwidth of the technology, clearer call quality, improved coverage, and quicker connecting calls.

Calls placed over VoLTE are encrypted with a key to keep the communication private between the participants. This privacy has been compromised in some cases, however, as recently reported by a research group led by David Rupprecht of Ruhr University Bochum. They have described an exploit, amusingly named ReVoLTE, that takes advantage of a weakness in the implementation of LTE networks by many telecommunications providers — a random sampling of radio cells across Germany revealed a full 80 percent to be susceptible to ReVoLTE.

Before getting too concerned that someone has been eavesdropping on your calls, it is important to understand that ReVoLTE comes with some caveats. First, an attacker must be in close proximity to the same base station as the victim so that they are able to use a downlink sniffer to record the encrypted transmission. Next, after the victim ends the targeted call, the attacker must directly call the victim — in most cases within 10 seconds — to ensure that this new call is made on the same radio connection as the targeted call. The attacker then must engage the victim in a conversation that they record unencrypted. The unencrypted conversation can be used to reverse engineer the keystream used, and this result can finally be used to decrypt the targeted conversation. The length of the second call must also be at least as long as the targeted call; if not, only a portion of the encrypted call can be recovered.

The implementation problem that makes ReVoLTE possible is a reuse of encryption keys for subsequent calls by some telecommunications providers. The researchers alerted telecommunications equipment makers and service providers to the issue, and it appears most have heeded the warning. Follow-up network scans have not turned up any sites that are vulnerable to the attack.