Four IT security researchers have uncovered a vulnerability in modern cellular networks that had been open for years. David Rupprecht, Katharina Kohls and Thorsten Holz from Ruhr-Uni Bochum and Christina Pöpper from NYU Abu Dhabi showed how encrypted phone calls in the cellular network could actually be recorded and decrypted.
Calls in the LTE network are affected by the vulnerability - worldwide. For several years, these have been at least partially processed using the Voice-over-LTE (VoLTE) standard introduced in 2014, which encrypts calls as a protective measure.
The researchers have succeeded in breaking this encryption under certain conditions. The victims of an attack would not have noticed anything. This emerges from a paper that the scientists will present on Wednesday at the "Usenix Security" conference under the title "ReVoLTE". The paper was available to SPIEGEL in advance.
The vulnerability has now been resolved, as the industry association GSMA announced. The Bochum scientists informed the association, in which all the major mobile phone companies have come together, about a procedure intended for this at the end of last year.
Approaching and recording
The researchers from the Ruhr-Uni Bochum not only researched the security gap in the laboratory, but also tested it in practice at various locations in Germany. The hack works in three steps.
In order to listen to a phone call, the researchers first had to be in the same radio cell as their victim. In cities, such LTE radio cells usually have a range of only a few hundred meters, in rural areas the range can be several kilometers.
In the second step, thanks to special technology, so-called "passive downlink sniffers", they were able to record a phone call - but initially only received encrypted, indecipherable data salad. All they needed was the phone number of their victims. For hackers with the appropriate skills, this can also be determined via the radio cell, which would, however, be illegal.
Encryption disclosed
After their victim finished the phone call, the security researchers called the person themselves in the third step. The longer you can keep the person on the line, the better. During this second phone call, the researchers were able to read out the keys from the base station's data traffic that they needed to decrypt the previously recorded conversation.
"The problem was that the same key was reused for further calls," says David Rupprecht, one of the researchers involved. If the second conversation lasted five minutes, five minutes could also be deciphered from the previous conversation.
Exploiting the security gap is therefore not easily possible for every hacker. The special technology required, i.e. the passive sniffer, costs a few thousand euros. David Rupprecht reports that the experts worked on their investigation for several months.
Attackers could eavesdrop without being noticed
The weak point was due to incorrect configurations of the base stations in the LTE network. These base stations are only manufactured by a few large companies in the world such as Huawei, Ericsson and Nokia. Cell phone providers such as Telekom, Vodafone or Telefónica then use this technology to set up their networks.
Since the weak point was at the level of the basic infrastructure, numerous LTE networks worldwide are likely to be affected. "The security gap was not just a German problem, it was a global one," said David Rupprecht to SPIEGEL. "For example, we also received data from South Korea that showed that radio cells there were also susceptible."
Problem known, problem solved
It is not known exactly how many people use VoLTE for calls, as this data is not precisely collected. According to Telefónica, around a third of O2 customers in Germany currently use this technology.
The three large mobile phone companies operating in Germany, Vodafone, Deutsche Telekom and Telefónica, have confirmed the weak point to SPIEGEL. The companies each thanked the researchers and reported that the gap has now been closed. The GSMA association had issued recommendations to its members on how the vulnerability could be eliminated. When the base station was updated, the researchers involved found that their attack no longer worked.
For David Rupprecht, the security gap shows that it is very important to see the overall process of development, installation and use when it comes to security in the cellular network: "From the hardware, to the specification that defines the protocols used, to the implementation the companies."
Thanks to the scientists, the standards for telephony in 5G have now been specified in such a way that errors in the configuration in the base stations for the 5G network cannot happen again.
A student at the Ruhr University in Bochum, Bedran Karakoc, has also worked with the researchers to develop an Android app that enables technically savvy people to check the security of 5G base stations themselves. In this way, it should also be possible to report possible problems in the future if problems arise again at the base stations.
The researchers have published further details and a download link for their app on a website.
Icon: The mirror
