What is the call interception threat in LTE, and how does the ciphering indicator help?
Renegotiation attacks may enable man-in-the-middle attacks that establish an unencrypted connection to a device making a phone call, letting the attacker listen in. The ciphering indicator feature (3GPP TS 22.101) would alert the user when calls go over an unencrypted connection.
The threat:
- Renegotiation (downgrade) attacks may also allow MitM attacks to establish an unencrypted connection to a device that is making a phone call
- With no encryption, the attacker may be able to listen to the phone call
The mitigation — the ciphering indicator:
- The ciphering indicator feature, discussed in 3GPP TS 22.101, would alert the user if calls are made over an unencrypted connection
- The idea: the phone shows a visible warning ("this call is not encrypted") so the user knows something is wrong
Why it often doesn't help in practice: the ciphering indicator is a specified feature, but handset manufacturers historically disabled or hid it — so users get no warning even when downgraded. This is a recurring LTE-security theme: the protection exists in the spec but isn't enforced or surfaced by default.
Tip: Call interception in LTE is usually a consequence of a successful downgrade, not a direct break of LTE crypto. Stop the downgrade and you stop the interception.
Go deeper:
Mobile data interception from the interconnection link — Silke Holtmanns (CCC 34c3, 2017) — interception from the other side: a MitM mounted via the Diameter-based interconnection between operators, not the radio — showing the attack surface isn't only the air link.