back to article Privacy on the line: Boffins break VoLTE phone security

Boffins based in China and the UK have devised a telecom network attack that can expose call metadata during VoLTE/VoNR conversations. Voice over LTE (VoLTE) is a packet-based telephony service that's part of the LTE standard and is widely used by major telecom providers. It's similar to Voice over New Radio (VoNR), a 5G …

  1. An_Old_Dog Silver badge

    Need to Ensure Public Interest

    "...Moreover, mobile standards bodies such as 3GPP need to ensure that public interest groups and security researchers have as much voice in the room as corporate interests do."

    Haaaa-haaaa! Yes, mobile standards bodies will get right on that./sarasm

    They've definitely pencilled that in -- for the Twelfth of Never.

    1. Anonymous Coward
      Anonymous Coward

      Re: Need to Ensure Public Interest

      Of course they'll do something.... but not until a celeb or MP is effected....

      1. MiguelC Silver badge

        Re: Need to Ensure Public Interest

        "affected".... <sigh>

        1. Yet Another Anonymous coward Silver badge

          Re: Need to Ensure Public Interest

          Aren't most celebs "effected"? Or is that only when on Graham Norton's show ?

  2. Yet Another Anonymous coward Silver badge

    Does it matter ?

    Anyone with the wherewithal to mount this sort of attack either has a badge and can demand all this data from the telcos, or can afford to "buy a drink" for a gentleman with a badge

    1. Graham Cobb Silver badge

      Re: Does it matter ?

      I don't think that is the case. IMSI catchers are quite effective and not hard to get and deploy, today. If this attack can be made easy to use and automated into a "next-gen IMSI catcher" then that is a serious issue for 5G security as many more journalists and "bad guys" will be able to use it than have access to the lawfaul-intercept route.

      What is not clear from the article is whether this attack only provides metadata such as MSISDN or IMSI or whether it can be turned into an attack on the encrypted content (data or voice).

      Of course, there is plenty of time to solve it. Anyone capable of using this attack will have already worked out how to make the target's phone fall back to (insecure) pre-VoLTE technology (such as 3G) today . It will be some time before phones stop doing that.

  3. john.jones.name
    Mushroom

    radio

    this is more a radio attack linked to the fact radio should need to do this and lession is it should ONLY DO IP/data transport and trying to optimise by using specific LCID 4 and LCID 5 is DUMB

    note using Wi-Fi Calling (plain SIP call) is not subject to this.

    1. Anonymous Coward
      Anonymous Coward

      Re: radio

      No, because unencrypted SIP you can tap and decode in realtime, no protocol breaches needed..

      1. Anonymous Coward
        Anonymous Coward

        Re: radio

        3GPP WiFi Calling encrypts the SIP and RTP using IMS-AKA, which is not the target of these vulnerabilities.

  4. Anonymous Coward
    Anonymous Coward

    The thing I've learned from this article is that man-in-the-middle has been changed to the much more cumbersome "miscreant" at some point. I wonder what will come next? Attacker-between-connected-disparate-endpoints, perhaps.

    1. Alumoi Silver badge

      Naah, we have 'bad actor' for that. Attacker suggests violence, please think of the children.

    2. Twanky

      MITM

      But the miscreants will almost certainly never self-identify.

    3. Anonymous Coward
      Anonymous Coward

      I suspect that was to avoid that at some point someone would start blathering that it could also be woman-in-the-middle or {I haven't made up my mind yet}-in-the-middle because it's easier to focus on imagined slights in words than on dealing with the real issue of equality in treatment and pay because that would require actually addressing it.

      Don't mind me, I have an excess of grumbling to get out of the way.

      1. Yet Another Anonymous coward Silver badge

        Isn't the "man" in the middle Carol ?

        Although I guess that's a boys name in Poland

        1. Mike 16

          In the middle

          My recollection was "Eve" as in eavesdropper.

          OTHO, when using voice rather than data I suppose one could place Yyes Saint Laurent in the middle.

          His death over a decade ago might seem to present a problem, but with the sort of delays delays I have experienced with Volte, there might be traces bouncing around the telesphere.

    4. Richard 12 Silver badge

      There's a difference

      When it's the Government intercepting your data, they're a man-in-the-middle.

      When it's someone else, they're a miscreant.

      1. Anonymous Coward
        Anonymous Coward

        Re: There's a difference

        it's one of those irregular verbs isn't it?

        I lawfully-intercept,

        he unofficially taps,

        they miscreantly listen-in

    5. Michael Wojcik Silver badge

      Nothingburger. People have been using alternatives to "man in the middle" for many years. I think I first saw "monkey in the middle" in the last century.

      Get over it.

  5. This post has been deleted by its author

  6. sitta_europea Silver badge

    I didn't care who was listening when it was analogue. Now that it isn't, I still don't.

    If it's secret I'll probably just lick a stamp.

    1. Anonymous Coward
      Anonymous Coward

      Thereby providing THEM with your DNA? How very careless of you, that's just playing into their hands...

    2. Anonymous Coward
      Anonymous Coward

      I find that a lot harder now there's a King on the front.

      (I'll go and hide now)

      1. Ken Hagan Gold badge

        I think you'll find it started getting harder when they became self-adhesive a few years ago.

        1. Anonymous Coward
          Anonymous Coward

          "I think you'll find it started getting harder when they became self-adhesive a few years ago."

          Easier to lick, harder to stop.

  7. Richard 12 Silver badge

    Bit confused here

    To start the attack you have to make a phonecall to the target mobile phone, and the attack apparently gets you the phone number of the target mobile phone?

    That doesn't seem particularly useful. What have I missed?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like