ReVoLTE attack

Milions of people use the widely deployed mobile communication standard LTE. Besides high-speed internet access, it also provides packet-based service VoLTE. It promises high-definition voie quality.

VoLTE uses modified Internet domain protocols: the Session Initiation Protocol (SIP) to signal the call flow, the Real-Time Transport Protocol (RTP) to transport the actual voice data, and the RTP Control Protocol (RTCP) to control the RTP connection.


The team of researchers, who earlier this year, published severe security issues in the 4G LTE and 5G networks, presented a ReVoLTE attack, that could let remote attackers break the encryption and spy on targeted phone calls.


Attack doesn’t exploit the protocol but rather badly implemented mobile network LTE, because most mobile operators often use the same keystream for two subsequent calls within one radio connection to encrypti the voice data between the phone and the same base station (mobile phone tower).


REVOLTE allows an attacker to decrypt the encrypted payload of the RTP packets. In a VoLTE setting, these protocol messages are treated as user data with special transmission requirements. Two important characteristics, the multimedia codecs and robust header compression, influence the way data is transmitted in a VoLTE call.


To carry out this attack, the attacker must be connected to the same base station as the victim and place a downlink sniffer to monitor and record a 'targeted call' made by the victim to someone else that needs to be decrypted later. Once the call is finished, the attacker is required to call the victim within the 10 second after the call, which would force the network into initiating a call between a victim and the attacker on the same radio connection used by previous call. In the 2nd step, the attacker needs to engage the victim into a longer conversation and later reverse compute the keystream used by the subsequent call.

All RTP data is encrypted in the same way as the voice data of the target call. As soon as enough of keystream data is generated, the call is ended. The length of the second call should be equal to or greater than the first call in order to decrypt each frame. The longer the conversation goes on, the more data can be decrypted. 


To demonstrate the attack, the team of academics from University Bochum implemented an end to end version of the attack within a commecrial network and commercial phones. They used downlink analyzer software to sniff the traffic and three Android phones to obtain the plaintext at the attacker's phone. They compared the two conversations, determined the key and decrypted a portion of the previous call.



Cookie - Analitics
They are used to record the website's obscurity analysis and provide us with data to provide a better user experience.
Cookie - social
Cookies required for plug-ins for sharing content from social media sites.
Cookie - chat
Cookies allow you to sign up, contact and communicate through the communication plug-in on the page.
Cookie - marketing
They target targeted advertising based on past user's activity on other sites.
What are cookies?
By visiting and using the site, you consent to the use and recording of cookies.OK Learn more about cookies