Comment by mNovak
5 years ago
Seems like an awfully large oversight to reuse the encryption key between subsequent calls.
I wonder if this works when leaving voicemail in the second call? Since the approach requires a long call for a long decryption, dialing straight to voicemail would be non-cooperative and avoid alerting the victim until after.
Voicemail goes to a different place and may not even get you routed to the user’s cell.
It's something so stupid I have to imagine it is deliberate.
The argument typically is that good encryption causes the call setup time to be too long and costs battery life, but this indeed is an exceptionally dumb flaw.
Unless you know what you’re doing it’s hard to test for though, and if you know what you’re doing you wouldn’t make this kind of mistake.
Somewhat true, but standards could assist developers with adequate test vectors, explanations and reminders why X or Y is important.