Cell phone calls via WLAN instead of the mobile network – this is possible with VoWiFi (Voice over WiFi). The calls take place over the mobile operator’s switching center via WLAN hotspots and the public Internet. Encryption is therefore particularly important, not only as protection against eavesdroppers, but also against malware and value-added fraud. The findings of the Austrian research group are even more serious: Encryption in VoWiFi, the network and the end devices is in a bad state.
Advertisement
iCloud Private Relay: failure apparently finally resolvedChinese network supplier ZTE took the cake: As Adrian Dabrowski (CISPA Helmholtz Center for Information Security), Gabriel Gegenhuber (University of Vienna) and their colleagues found, ZTE mobile networks always used the same cryptographic keys when setting up VoWiFi encryption. The researchers’ scan found 13 ZTE mobile networks that always used predetermined Diffie-Hellman (DH) keys when logging customers into VoWiFi. These also included DH keys of shorter length (786, 1024 and 1536 bits), which are considered insecure and therefore outdated. These 13 networks have a total of around 140 million customers.
For each key length, ZTE programmed only ten different DH keys into the evolved packet data gateway (ePDG) used for VoWiFi. This meant that ZTE and any affected ZTE network operator could break the VoWiFi encryption with the DH of all other ZTE networks – and any authority or other attacker who could obtain the keys in a country. The number of unreported cases is likely to be much higher than the 13 networks with 140 million subscribers identified.
The Chinese network supplier speaks of a bug (CVE-2024-2206422, risk level high); keys used for development and testing were accidentally left in the distributed system. There is now an update; the Austrian mobile operator Drei (Hutchison), whose ZTE network was financed by the state-owned China Development Bank, was the fastest to do so in mid-March. Slovakian 4ka, Yetel in Hungary followed in late March and two Brazilian networks in early April. It took until May 23 for Digi in Malaysia, Nepal Telecom did not manage the update by the observation deadline of May 31.
Triple encryption – theoretically
VoWiFi connections can actually be triple encrypted. First, the end device and the mobile communication gateway use a modified version of the IKE protocol (Internet Key Exchange) to negotiate that the subscriber actually has a valid SIM card and phone number and what asymmetric Diffie-Hellman key pair will be used with what parameters. Both the end device and the network communicate which key lengths they support – theoretically they then choose the longest common divisor. Unfortunately, the practice looks different (see below).
The outer tunnel remains in place as long as the end device is online via the same IP address and WLAN and the set time limit has not expired yet. This is the time an attacker has to crack the DH encryption. Secondly, within this encryption, an IPSec tunnel is established with a symmetric key to encrypt user data. Thirdly, the third encryption can be implemented at the level of the Voice over IP server (SIP and RTP).
So maybe the loss of external connections is not so bad? Yes, researchers say: there is no integrity check for the second level of encryption anymore. If an attacker has broken the DH encryption, he can next intercept the exchange of symmetric encryption (Monster in the Middle, MitM) and read everything. The third SIP level encryption is not implemented by most network operators; in practice, they also provide unencrypted VoWiFi conversations. The attacker can set the corresponding parameters.
A successful criminal can not only listen to and falsify conversations, but also exfiltrate the data and use it, for example, to install malware on the end device, or to call someone else’s number, including premium-rate numbers. So it’s about much more than “just” privacy.
bad key length
That’s why it’s crucial to set up DH encryption well. And that’s where Dabrowski, Gegenhuber and company are putting their finger on the industry, not just ZTE: configurations are incomplete and mobile phone providers’ gateways are crooked. What’s shocking is how often they allow downgrades to less secure DH keys – this is exactly where an attacker will initiate and force a downgrade by injecting an error message (either at the network gateway or at the end device). The shorter the key of the same type is and the longer it remains valid, the easier it is for an attacker to crack DH encryption.
The Austrians tested around 250 mobile networks worldwide as well as four different cell phone chip families, with surprising results. Two mobile networks only support DH1 (768 bits) for Voice over WiFi, which well-equipped researchers can crack in a limited time. 77 networks only offer DH2 (1024 bits), which organized criminals and of course secret services can crack – although standards organization 3GPP has never suggested using the shorter DH2 key.
Another dozen network operators support both insecure key exchange methods DH1 and DH2. If you also add the old DH5 with a key length of 1536 bits, 93 percent of network gateways fail. They support the Diffie-Hellman key length, which is no longer appropriate since 2015.
AllPower R1500 power station in the test: Great price, compact, good and UPS function
