A security breach in 4G cellular networks may allow hackers to intercept and listen to calls from third parties using standard devices, which can be purchased by any consumer for values of around $ 7,000, approximately $ 40,000. The problem is in the VoLTE protocol, which uses the mobile data network to transmit voice calls that can be collected if the hackers are in range of the same communication tower as the victim.
- Firewalls for SMS? Yes, they exist and can solve a problem
- Microsoft fixes 120 vulnerabilities at once in “patch festival”
- US secretly monitors citizens with code hidden in apps, newspaper reveals
This usually implies a distance that ranges from a few meters to a few kilometers, according to the infrastructure of each region. The exploration proof of concept, presented by Ruhr universities, in Bochum, in Germany, and in New York, in the United States, details a problem in the implementation of cryptography in the transmission of voice over the network that allows breaking the security of calls made by the 3rd.
Everything happens the moment the signal passes through a base station before making its way through the rest of the network. What the researchers found is that the system can "repeat" the encryption protocol on two different calls to the same number, as long as they are made up to 10 seconds after the first one. To exploit the flaw, hackers capture the data stream of the call they want to spy on and, as soon as it ends, make a new call to the target number, this time using that data stream as a way to decrypt the original information .
Throughout this process, those responsible for the exploration would use transmission equipment capable of capturing such signals. Once they learn the configuration of the data node that will be used in the exploration and also the victim's geographic location, thus knowing which tower they should connect to, the scam is ended with the second call, which registers the encryption protocol and is able to release the data to be heard.
The attack, which was called by ReVoLTE experts, was compared to a common error, in which passwords are stored on a server in a plain, unprotected text file. The idea is that, as much as security mechanisms are available on the network itself, once they are broken, there is nothing else to prevent the action of hackers, who now have full access to users' data and information.
There are other limitations, however. The decrypted call time corresponds to the period of the call used to break the security protocol – that is, if the call to unlock is 30 seconds, it will allow only half a minute of the “original” conversation to be heard. It is an additional challenge, which will require sophistication in targeted attacks. In addition, of course, both victim and hacker must be within the reach of the same tower or base station, while newer technologies already have protections against the repetition of security protocols in transmissions that happen in succession.
According to the researchers responsible for the work, presented during the USENIX security symposium, which took place this week in digital format, 15 towers spread across Germany were used in the failure tests and 12 allowed exploration. Experts say the percentage, of course, can vary from country to country, but they say that with the plurality of protocols, facilities and operators, it is very likely that many people are vulnerable.
With that in mind, experts have released an application for Android phones that is able to test the connection's security status. The software requires a rooted phone that has access to the VoLTE network and has a Qualcomm processor.