VoLTE phone security may not be as tough as we all thought

Man Calling while looking at Email
(Image credit: David Hahn / Unsplash)

The security of Voice over LTE (VoLTE) phone calls may not be as tough as previously thought, after researchers devised a way to grab call metadata and even caller identities in some cases. 

A team of researchers, comprising scientists from the Beijing University of Posts and Telecommunications (Zishuai Cheng and Baojiang Cui), and scientists from the University of Birmingham (Mihai Ordean, Flavio Garcia, and Dominik Rys) came up with a way to access VoLTE activity logs such as call times, call durations, and call directions (who is calling whom). 

They published their findings in a whitepaper called "Watching your call: Breaking VoLTE Privacy in LTE/5G Networks," in which they also showed how they used this data to identify people’s phone numbers. 

Grabbing the data

VoLTE call systems have three systems working to anonymize people on the network - TMSI (Temporary Mobile Subscriber Identity), GUTI (Globally Unique Temporary Identity), and SUCI (Subscription Concealed Identifier). 

However, with some network parameters being static, these systems are arguably inadequate. Cyberattackers would still be able to come to some conclusions about the interaction between the participants. 

Furthermore, by building a mobile-relay adversarial node, the researchers were able to capture a lot of network traffic per carrier.

"Targeting VoLTE traffic specifically, for any reason, including recording, should not be possible when using EEA2 encryption algorithms which rely on non-deterministic encryption schemes such as AES-CTR," the report states. 

"This however is not the case. By looking at the non-encrypted MAC sub-header at our mobile relay, the attacker can learn the Logical Channel ID (LCID) of the sub-PDU (Protocol Data Unit). Because VoLTE traffic uses specific LCID 4 and LCID 5 it can be directly targeted by the adversary."

After obtaining a person’s anonymized identity (SUCI and GUTI), the attackers would simply need to make a VoLTE call to the victim to tie it to their real-life identity. 

Both attacks allegedly worked quite well, with the researchers saying they mapped VoLTE operations 83% of the time.

Via: The Register

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.