According to European researchers, the GEA / 1 encryption algorithm used by GPRS telephones in the 1990s was apparently weaker than it seems to enable eavesdropping.
The algorithm was introduced in 1998 by the European Telecommunications Standards Institute (ETSI). It should provide 64-bit encryption for data traffic such as e-mails and information from the Internet. A recently published paper by scientists at the Ruhr-UniversitÃ¤t Bochum with the help of Norwegian and French experts has shown: [PDF] that GEA / 1 only offered 40-bit encryption from the ground up, and the way encryption keys were divided made the system relatively easy to crack if you knew how at the time.
“According to our experimental analysis, it is about as likely that these key properties in the German lottery have six correct numbers twice in a row,” said team co-leader Dr. Christof Beierl.
There may well be an obvious reason for this. In the late 1990s, strong encryption still had an insecure legal status, and many countries had export bans on such technologies. The GEA / 1 standard doesn’t mention this, according to the paper, although France at the time had rules for anything above 40-bit encryption.
After the encryption regulations were relaxed a year later, ETSI released GEA / 2, and GEA / 1 was officially discontinued in 2013. The team said the second generation GEA algorithm is more solid and the more advanced GEA / 3 system now prevails in the industry. There is a GEA / 4 that is even stronger, although it is not prioritized, we are told. GEA / 2 has been considered defective by the gprsdecode tool for some time, just like GEA / 1, and GEA / 3 is partially defective. In other words, we all know GEA / 1 is bad: don’t panic about this research.
“I suspect that GEA / 2 was developed when the export restrictions were already being relaxed somewhat,” said Beierl The registry.
Crucially, GEA / 1 is still hanging around as a backup algorithm in some newer Google Android and Apple iOS phones – like the iPhone XR and Huawei P9 lite – the researchers found, even though the specs banned it. It shouldn’t be supported at all. The university team is pushing for the GEA / 1 and GEA / 2 to be removed from today’s phones so that they are no longer a problem.
More importantly, GEA / 1 users were never told that their supposedly secure traffic really wasn’t.
“GEA / 1 came first and then GEA / 2 came later as a relaxation of export control rules, but the encryption designers didn’t say what that meant,” said Professor Matthew Green of the Johns Hopkins Information Security Institute El Reg.
“That means: They didn’t say we were sabotaging this encryption, but not the next one, they just shipped it and didn’t give design specifications for the first one. Overall, a pattern of deliberately weak encryption seems to come from European standards bodies in the 1990s through 2000s. I think that was unfortunate and probably harmed people in the long run. “
And while GEA / 1 is a limited problem on cell phones, Green pointed out that it’s an interesting attack vector that is pretty easy to exploit. A fraudulent telephone pole can downgrade the encryption of traffic on a nearby handset to GEA / 1 if the phone still supports it, which can be cracked and verified, or maybe even to GEA / 0 which has no encryption at all. The support of GEA / 0 and GEA / 2 is mandatory according to the specification.
“[The standard] creates ‘downgrade attacks’ where phones support both algorithms, but a clever attacker can force your phone to use the weak algorithm and then crack the encryption, “explained Prof. Green.” There are devices called stingrays that do this do for law enforcement, but I undoubtedly law enforcement agencies are the only people who have access to this technology. “
Do like me
Not just a European problem – GEA / 1 has been used worldwide. We also remember the time when it was claimed that RSA accepted $ 10 million to default to a flawed random number generator championed by the NSA. That created uncomfortable tension in the Infosec world and left a bad taste in your mouth, just like this latest reveal, Green said.
“I cannot tell you whether a million experiments are enough to absolutely rule out a conscious attempt to weaken the cipher in this case,” he told us.
âI can tell you it smells awful. It’s like finding a trail of blood leading back to a suspect’s home from a murder scene. Â®