żěè¶ĚĘÓƵ

Flaw in old mobile phone encryption code could be used for snooping

An algorithm from the 1990s used to encrypt mobile phone data was deliberately weakened to allow eavesdropping, claims a team of cryptanalysts. It is possible the flaw could still allow access to some phones in use today
Woman holding a phone
It’s possible that some older phones may be vulnerable to a data encryption flaw
Getty Images/Tetra images RF

An algorithm from the 1990s used to encrypt mobile phone data was deliberately weakened to allow eavesdropping, claims a team of cryptanalysts. It is possible the flaw could still allow access to some phones in use today.

“It’s a nice weakness, from a technical point of view. But it’s still not good to build it. Probably many people were involved,” says at Ruhr University Bochum in Germany, part of the team that identified the weakness.

The encryption algorithm in question, known as GEA-1, was first introduced in 1998 when mobile phone networks began allowing data communication for web browsing, text messages and email – these were 2G and 3G networks, as opposed to the newer 4G and 5G networks that use different algorithms.

The GEA-1 code was never made public for security reasons, but Beierle and his colleagues obtained a copy of it from an anonymous source and scoured it for signs of a backdoor. They found a bug that meant its supposed 64-bit encryption keys were actually reduced to 40-bit, making it vastly easier to break into.

at Johns Hopkins University in Baltimore, Maryland, says that the reduction in key length would make breaking in 16,777,216 times less computationally intensive than it should have been.

The researchers say that the flaw occurs because two vital parts of the algorithm have a coincidental relationship that makes them less random than they should be. The team did a statistical analysis on generating these parts to see how likely such an error would be, and found that in a million attempts they didn’t replicate the problem. They claim that this rules out the idea that it was accidental.

at the University of Surrey, UK, says the discovery is shocking. “The chances of it happening and it being an accident are greater than winning the lottery. The corollary is that someone did this deliberately. And that’s a problem because it’s still around today in some ways, you have to be backwards compatible.”

Countries throughout Africa, Central America and South America still use 2G and 3G networks, while many other nations use it as a backup system. The European Telecommunications Standards Institute (ETSI), which oversees the creation of phone network standards, prohibited the inclusion of GEA-1 in phones from 2013 onwards as part of routine efforts to upgrade security as computing power increases. But the researchers found that it was still present in the Apple iPhone 8 and XR from 2017 and 2018, respectively, and the Samsung Galaxy S9, also released in 2018, as well as some other phones running Google’s Android operating system.

The team revealed details of the flaw to the ETSI and the phone manufacturers found to still be using it ahead of publication so that they could rectify the problem. Apple told żěè¶ĚĘÓƵ that iPhone 12 models don’t support GEA-1, and that support has been removed from iPhone 7 to 11 models. iPhone SE and 6s models will be updated to remove the algorithm later this year, it said. Google told żěè¶ĚĘÓƵ that it has removed the code from new devices and that other Android phone manufacturers would be following suit. Samsung didn’t respond to a request for commentĚýbefore publication.

This flaw matters today because when devices open a communications channel, they begin with modern security standards, and then work backwards until they reach the most recent level of technology that both devices support. It is feasible that an attack could be staged where a phone is asked to revert back to an old standard, such as GEA-1, and that the data could then be unencrypted using this weakness. A “G” symbol appears next to your network connection when using this old standard.

“That’s the problem with these things,” says Woodward. “They have a long, long tail. It opens up a can of worms.”

The ETSI is an independent organisation with 900 members that include universities, companies and government organisations. It has a committee called the Security Experts Group (SEG), which approvesĚýconfidential standards in order to check that they are watertight. żěè¶ĚĘÓƵ asked the ETSI who was on the SEG at the time that GEA-1 was passed, but it didn’t respond directly to the question. A spokesperson said that the organisation “followed the export control regulations” in place at the time.

The spokesperson said GEA-1 was developed in 1998, when regulations limited the strength of encryption that could be exported, but didn’t specify which regulations. “When these were eased a year later, ETSI members introduced GEA-2,” the spokesperson says. The research team which found the GEA-1 flaw also discovered weaknesses in GEA-2 but they were less severe and were more plausibly accidental.

It is public knowledge that Western nations have placed export controls on various technologies, including encryption software, since the cold war era. In the 1990s, the US restricted exports of software with encryption keys over 40 bits. In 1999, the year after GEA-1 was developed, this restriction was lifted to 56 bits. Other nations, such as France, made similar changes around the same time.

Beierle says the flaw was a clever way of meeting a 40-bit limit on encryption, while also making the software appear to be a more powerful tool. It is unknown who created the backdoor or at whose request, or whether it was ever used.

The discovery should be a cautionary tale about other encryption methods, says Green. “In the late 2030s, you should expect a team of researchers to be writing a paper just like this one, except it will be about the encryption you’re using today,” he says.

Cryptology ePrint Archive

Topics: security