VoLTE Flaw Lets A Hacker Spy On Encrypted Communications For A Measly $7,000
from the time-to-take-a-broader-view dept
As we’ve noted, much of the hysteria surrounding TikTok isn’t based on anything close to consistent outrage. As in, many of the folks freaking out about a teen dancing app were nowhere to be found when U.S. wireless carriers were found to be selling access to your location data to any random idiot. Most of the folks pearl clutching about TikTok have opposed election security funding or even the most basic of privacy rules. The SS7 flaw that makes most wireless networks vulnerable to eavesdropping ? The lack of any security or privacy safeguards in the internet of things (IOT) space?
Which is all a long way of saying: if you’re going to lose sleep over TikTok, you’ll be shocked to learn there’s an ocean of issues that folks are paying absolutely no attention to. Or, to put it another way, TikTok is probably the very least of a long list of problems related to keeping U.S. data secure.
The latest case in point: a report last week noted how with around $7,000 worth of gear, a marginally competent person could eavesdrop on voice over LTE (VoLTE) communications, even though these transmissions are purportedly encrypted:
“Their technique, dubbed ReVoLTE, uses a software-defined radio to pull the signal a carrier?s base station transmits to a phone of an attacker?s choosing, as long as the attacker is connected to the same cell tower (typically within a few hundred meters to few kilometers) and knows the phone number. Because of an error in the way many carriers implement VoLTE, the attack converts cryptographically scrambled data into unencrypted sound. The result is a threat to the privacy of a growing segment of cell phone users. The cost: about $7,000.”
It doesn’t take that much work to fix the vulnerability, but many wireless carriers are expected to lag in fix implementation:
“With more than 120 providers around the world and over 1,200 different device types supporting VoLTE, it will likely take more time for the eavesdropping weakness to be fully eradicated.
?However, we need to consider a large number of providers worldwide and their large deployments,? the researchers wrote. ?It is thus crucial to raise awareness about the vulnerability.”
And while the attack requires some degree of finesse and good timing, it’s yet another indication that our very basic communications infrastructure isn’t half as secure as we like to pretend it is. The report came on the heels of another report indicating that it didn’t take much work to spy on much of our satellite communications infrastructure despite these attacks being known about for the better part of the last fifteen years. Then there’s the SS7 flaw in most major wireless networks which allows for covert spying of wireless transmission and has been known about for nearly as long.
Which again is a long way of saying that if we genuinely cared about U.S. data privacy and security in the face of hostile global actors, we’d do a hell of a lot better job shoring up basic infrastructure and infrastructure security. Instead we get (waves in the general direction of the TikTok Microsoft kerfuffle) whatever all of this is supposed to accomplish.