The GEA/1 encryption algorithm used by GPRS phones in the 1990s was seemingly designed to be weaker than it appears to allow eavesdropping, according to European researchers.
The algorithm was introduced in 1998 by the European Telecommunications Standards Institute (ETSI). It was supposed to provide 64-bit encryption for data traffic, such as emails and information fetched from the web. A paper just out by academics at Germany’s Ruhr-Universität Bochum, with help from Norwegian and French experts, has found [PDF] that GEA/1 only really offered 40-bit encryption, by design, and the way encryption keys were subdivided made the system relatively easy to break if you knew how at the time.
“According to our experimental analysis, having six correct numbers in the German lottery twice in a row is about as likely as having these properties of the key occur by chance,” team co-lead Dr Christof Beierl said.
There may well be an obvious reason for this. In the late 1990s strong encryption still had an uncertain legal status, and many countries had prohibitions on the export of such technology. The GEA/1 standard makes no mention of this, according to the paper, though France for one at the time had rules regarding anything over 40-bit encryption.
Once regulations on encryption were relaxed a year later, ETSI released GEA/2, and GEA/1 was officially retired in 2013. The team said the second-generation GEA algorithm was more solid, and the more advanced GEA/3 system is now predominant in the industry. There is a GEA/4 that’s even stronger, though this isn’t prioritized, we’re told. For what it’s worth, GEA/2 has been considered broken for a while now by the gprsdecode tool, just like GEA/1, and GEA/3 is partially broken. In other words, we all know GEA/1 is bad: don’t panic over this research.
“My guess is that GEA/2 was designed when export restrictions have already been a bit relaxed,” Beierl told The Register.
Crucially, GEA/1 is still hanging around as a backup algorithm in some modern Google Android and Apple iOS handsets, the researchers found, whereas the specifications have banned it. The university team is pushing for GEA/1 and GEA/2 to be removed from today’s phones so it’s no longer a problem.
More importantly, though, the fact remains that GEA/1 users were never told that their supposedly secure data traffic really wasn’t.
“GEA/1 came first, and then GEA/2 came later as a relaxation of export control rules, but the cipher designers didn’t say what that meant,” Professor Matthew Green of the Johns Hopkins Information Security Institute, told El Reg.
“That is: they didn’t say ‘we are sabotaging this cipher but not the next one,’ they just shipped them and didn’t give design specifications for the first one. Overall there seems to be a pattern of deliberately weak encryption coming out of European standards bodies in the 1990s to 2000 timeframe. I think this was unfortunate and probably did damage to people in the long run.”
And while GEA/1 on handsets is a limited issue, Green pointed out that it’s an interesting attack vector that can be exploited fairly simply. A rogue phone mast can downgrade a nearby handset’s data traffic encryption to GEA/1 if the phone still supports it, which can be cracked, or perhaps even to GEA/0 which has no encryption at all.
“[The standard] creates ‘downgrade attacks’ where phones support both algorithms, but a clever attacker can force your phone to use the weak algorithm and then break the encryption,” he explained. “There are devices called stingrays that do this for law enforcement, but I doubt law enforcement are the only people who have access to this technology.”
Do as I do
Not that it’s a European problem alone – GEA/1 was used worldwide. We’re also reminded of the time it was claimed RSA accepted $10m to use by default a flawed random number generator championed by the NSA. That created an awkward tension in the infosec world, leaving a bad taste in the mouth, as did this latest revelation, Green said.
“I can’t tell you if one million experiments is sufficient to absolutely rule out a deliberate effort to weaken the cipher in this case,” he told us.
“I can tell you that it smells terrible. It’s like finding a trail of blood leading from the scene of a murder back to a suspect’s house. Plenty of innocent explanations, sure, I guess, but it makes you want some explanations.” ®