Researchers: Don't trust satellite phones, encryption broken

Two researchers, Be­ne­dikt Dries­sen and Ralf Hund, managed to break the proprietary ciphers used for satellite phones, GMR-1 and GMR-2. In a public talkabout their discovery, the researchers said, "Don't trust satellite phones".

While satellite phones have been mostly replaced by GSM/CDMA phones in consumer markets, such telecommunications devices are still used today by governments, military, relief and non-governmental organizations, businesses and even individuals in remote locations where cell phone towers are not an option. According to the researchers, there are current several hundred thousand satellite phone subscribers.

The researchers were able to reverse engineer the cryptographic algorithms utilized by the phones after analyzing freely-available firmware intended for updating their DSP (digital signal processor) chips. Because the ciphers are completely mathematical and don't employ the use of private keys, anyone who can receive a satellite phone transmission and knows the cipher's algorithm can easily eavesdrop on an intentionally private conversation.

"Even though a niche mar­ket com­pa­red to the G2 and G3 mo­bi­le sys­tems, there are se­ver­al 100,000 sat­pho­ne sub­scri­bers world­wi­de. Given the sen­si­ti­ve na­tu­re of some of their ap­p­li­ca­ti­on do­mains (e.g., na­tu­ral di­sas­ter areas or mi­li­ta­ry cam­paigns), se­cu­ri­ty plays a par­ti­cu­lar­ly im­portant role for sat­pho­nes. In this paper, we ana­ly­ze the en­cryp­ti­on sys­tems used in the two exis­ting (and com­pe­ting) sat­pho­ne stan­dards, GMR-1 and GMR-2. The first main cont­ri­bu­ti­on is that we were able to com­ple­te­ly re­ver­se en­gi­neer the en­cryp­ti­on al­go­rith­ms em­ploy­ed. Both ciph­ers had not been pu­bli­cly known pre­vious­ly. We de­scri­be the de­tails of the re­co­very of the two al­go­rith­ms from fre­e­ly avail­able DSP-firm­ware up­dates for sat­pho­nes, which in­clu­ded the de­ve­lop­ment of a cust­om di­sas­sem­bler and tools to ana­ly­ze the code, and ex­ten­ding prior work on bi­na­ry ana­ly­sis to ef­fi­ci­ent­ly iden­ti­fy cryp­to­gra­phic code."

ETSI and Immarsat are the two companies responsible for the GMR-1 and GMR-2 stream cipher standards, respectively. The inherent flaw found within these systems appears to be their disregard for Kerchoff's Principle. This 129-year-old axiom basically states that in order to be truly secure, a cryptosystem should be effectively indecipherable even when the algorithms and processes to generate the obfuscation are exposed. To achieve this, cryptographers have typically employed the use of private keys. Private keys, which are only known by the sender and/or recipient(s), provide a way to "unlock" the encryption so that only intended parties can decipher the information. This thinking also allows open-source cryptosystems to be just as secure as their commercial counterparts even though the inner-workings of such systems are fully exposed to the public.

"The se­cond main cont­ri­bu­ti­on lies in the cryp­t­ana­ly­sis of the two pro­prie­ta­ry stream ciph­ers. We were able to adopt known A5/2 ci­pher­text-on­ly at­tacks to the GMR- 1 al­go­rithm with an aver­a­ge case com­ple­xi­ty of 232 steps. With re­spect to the GMR-2 ci­pher, we de­ve­lo­ped a new at­tack which is power­ful in a known-plain­text set­ting. In this si­tua­ti­on, the en­cryp­ti­on key for one ses­si­on, i.e., one phone call, can be re­co­ver­ed with ap­pro­xi­mate­ly 50?65 bytes of key stream and a mo­de­ra­te com­pu­ta­tio­nal com­ple­xi­ty. A major fin­ding of our work is that the stream ciph­ers of the two exis­ting sa­tel­li­te phone sys­tems are con­s­i­der­a­b­ly wea­ker than what is sta­te-of- the-art in sym­me­tric cryp­to­gra­phy."

 Comments

0