Boffins based in China and the UK have devised a telecom network attack that can expose call metadata during VoLTE/VoNR conversations.
Voice over LTE (VoLTE) is a packet-based telephony service that's part of the LTE standard and is widely used by major telecom providers. It's similar to Voice over New Radio (VoNR), a 5G flavor of the technology. VoLTE/VoNR – or just VoLTE for the sake of avoiding alphanumeric jumbles – encrypts voice data sent between phone and network using a stream cipher. Three years ago, it was shown to be vulnerable to a reused key attack. This allowed researchers to develop the
ReVoLTE attack, which exposes encrypted LTE calls. Various other explorations have demonstrated that the data exchanged between phones and cell towers continues to be poorly protected at both the physical layer and the data layer.
Researchers Zishuai Cheng and Baojiang Cui, with the Beijing University of Posts and Telecommunications, and Mihai Ordean, Flavio Garcia, and Dominik Rys, with the University of Birmingham, have found a way to access encrypted call metadata – VoLTE activity logs that describe call times, duration, and direction (incoming or outgoing) for mobile network conversations. In
a paper titled "Watching your call: Breaking VoLTE Privacy in LTE/5G Networks," they describe how they were able to use this metadata to map phone numbers – undetectably – to LTE and 5G-SA anonymized network identifiers.
www.theregister.com
