Security researchers from China and the UK have worked together to create a new telecom network attack that can expose call metadata during VolTE or VoNR conversations. The extracted data includes call duration, time and whether it was incoming or outgoing.
The paper is called “Watching your call: Breaking VoLTE Privacy in LTE/5G Networks” and is written by researchers Zishuai Cheng and Baojiang Cui with the Beijing University of Posts and Telecommunications, and Mihai Ordean, Flavio Garcia, and Dominik Rys, with the University of Birmingham. It outlines how they could use the extracted metadata to map phone numbers to LTE and 5G networks’ anonymised network identifiers.
Several different systems keep subscribers anonymous on a telecom network. These include the following:
- Temporary Mobile Subscriber Identity (TMSI) for 3G networks.
- Globally Unique Temporary Identity (GUTI) for 4G and 5G networks.
- Subscription Concealed Identifier (SUCI) for 5G networks to prevent fake cell towers from snooping on devices.
All three systems work together to keep users anonymous on a network so that anyone intercepting a call won’t be able to track them back to a specific SIM card or subscriber.
VoLTE encrypts voice data sent over the network using a stream cypher and has been proven vulnerable to a reused key attack. Additionally, any data exchanged between phones and cell towers aren’t adequately protected at the physical or data layers.
Additionally, following an initial ‘connection phase’, the rest of the physical layer configuration parameters are exchanged using encrypted messages. Anyone snooping on the conversation needs to keep continuously guessing these physical layer configuration parameters to keep the connection alive.
As it turns out, these protections aren’t enough due to the static nature of certain network parameters. This means the attacker can deduce parameters regarding network interaction and capture data. While encrypted messages can’t be read, some information can be guessed based on its length and position in the protocol.
A phone’s anonymous identity can be mapped when a threat actor calls the victim using VoLTE. The call doesn’t need to be answered but exchanges traffic between the victim and the Man In The Middle (MITM) device. This traffic is then analysed to extract VoLTE logs and combined with call details to link the phone number to the victim’s network identity.
The technique requires collecting a lot of network data — roughly 60 hours per carrier. The two attacks outlined in the paper, network activity monitoring and identity recovery, work pretty well, with the researcher claiming an 83.7% success rate when mapping VoLTE operations. This rose to 100% when similarly sized operations were analysed for the allowed context.
Ideally, this shouldn’t be possible on VoLTE traffic when using EEA2 encryption algorithms. However, that doesn’t seem to be the case. This also serves as a reminder that 5G isn’t an all-encompassing security solution.