IT experts reveal:

Providers sloppy with WLAN telephony security

At home, cell phones sometimes use the local WLAN instead of the mobile network. However, some providers have slipped up with the implementation.

(Bild: ©Drobot Dean - stock.adobe.com)

IT security nightmare: At least 13 mobile network operators - including one from Austria - have not used random keys for WLAN telephony (Voice over WiFi/VoWiFi) for years, thus jeopardizing the communication security of more than 140 million customers.

This was reported on Wednesday by Austrian security researchers from SBA Research following a collaboration with the University of Vienna and the CISPA Research Center in Saarbrücken.

Identical keys used
Provider-side tests revealed that some mobile network operators were using the same private keys for key exchange. According to Gabriel Gegenhuber, security researcher at SBA Research and doctoral student in the Security and Privacy research group at the University of Vienna, anyone in possession of these (not so private) private keys could intercept the communication between smartphone and mobile network operator without cracking - i.e. breaking the cryptographic key using very powerful hardware. All mobile network operators involved, the manufacturer and possibly local security authorities have access to the keys.

Furthermore, potential attackers could drastically shorten the key length of new 5G devices with MediaTek chipsets and thus facilitate attacks. Both vulnerabilities have the effect that attackers can listen in on conversations with little effort, as explained in a press release.

WLAN telephony also common in Austria
Voice over WiFi is already supported in Austria by all three major mobile network operators and some virtual operators. In addition to the traditional connection channel via a mobile phone mast (Radio Access Network, RAN), 4G and 5G also offer the option of making calls and sending text messages via WiFi. This is the preferred operating mode for all modern smartphones by default and extends the call radius in areas with poor mobile phone reception, e.g. in reinforced concrete buildings.

As the call data via WLAN is not protected by the 4G or 5G encryption of the RAN, the mobile operator uses IPsec tunnels (Internet Protocol Security) with the IKE protocol (Internet Key Exchange). The security gaps found are not errors in the protocol, but implementation errors on the part of the respective manufacturers, according to the press release.