Forgot your password?
typodupeerror
Encryption IT

Satellite Phone Encryption Cracked 54

Posted by Soulskill
from the our-fictional-military-characters-are-in-trouble dept.
New submitter The Mister Purple writes "A team of German researchers appears to have cracked the GMR-1 and GMR-2 encryption algorithms used by many (though not all) satellite phones. Anyone fancy putting a cluster together for a listening party? 'Mr. Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000. His demonstration system takes up to half an hour to decipher a call, but a more powerful computer would allow eavesdropping in real time, he said.'"
This discussion has been archived. No new comments can be posted.

Satellite Phone Encryption Cracked

Comments Filter:
  • by houstonbofh (602064) on Friday February 03, 2012 @07:45PM (#38922273)
    Now that the secret is out, just buy a used one off eBay from the NSA.
  • sony's psn botnet (Score:1, Insightful)

    by crutchy (1949900)
    so they strung a few playstations together... PSN is really just a huge botnet that Sony uses to crack encryption of all sorts. How do you think they're going to sue (save) people that use SSH or VPN from illegally downloading pirated copies of "Not Another Teen Movie"?
    • by Dynedain (141758)

      PSN is really just a huge botnet that Sony uses to crack encryption of all sorts.

      Sony manufactured every device connected to PSN. They don't need a botnet as they have the proven manufacturing capability to build the hardware necessary.

  • by munozdj (1787326) on Friday February 03, 2012 @07:53PM (#38922345)
    These guys have once again proven that security through obscurity is not a sensible strategy. If the codes were published in due time, the flaw could have been found with enough time to allow for preventive measures to be deployed. (I know there are a lot of inferences in the sentence, but it seems plausible to me, taking into account what has happened with other algorithms (DES, anyone?))
    • by saleenS281 (859657) on Friday February 03, 2012 @08:08PM (#38922521) Homepage
      You're assuming they want it truly secure. Reality is governments around the world want backdoors.
      • by fauxhemian (1281852) on Friday February 03, 2012 @08:31PM (#38922755)
      • by Anonymous Coward

        You're assuming they want it truly secure. Reality is governments around the world want backdoors.

        It also depends when the protocols were designed.

        Today compute is cheap, and so more complex encryption algorithms are generally a no-brainer. However, if you go back just a few years, running complex algorithms would have sucked power (i.e., battery) at an unacceptable rate. The engineering trade off was between security and power (and perhaps throw in bulk as well, depending on the chip sizes in the pre-SoC days).

        If one had a clean sheet design now, you'd probably go with AES and DH/RSA/elliptical curve,

      • by hairyfeet (841228) <bassbeast1968@gma i l . com> on Saturday February 04, 2012 @02:40AM (#38924837) Journal

        While i'm sure that is true to a point, everyone seems to forget just how fricking fast we jumped on computing power. When i first started toying with computers in the early 80s we measured memory in bytes and the multimillion dollar supercomputers had less computing power than that $8 calculator at Fred's. In just 30 years we went from computers measured in single digit MHz cost nearly as much as a car to being able to build a DIY PC for $1000 that could run every single major OS of the last 20 years at the same time. Hell just look at the beginning of this century, where we had just broken the GHz barrier and having 512Mb of RAM meant you had some cash to blow. Who would have thought then that just 12 years later we'd be looking at machines with dozens of CPUs and huge pools of RAM and hundreds of specialized graphical cores we could run our own code on?

        The sat phone system IIRC was designed in the mid 80s and put up in the early 90s correct? i can see them simply not seeing the huge leaps that we would make nor would the tech of the time have been able to process crypto hard enough not to be at risk from these modern monsters. If we keep leaping ahead with regards to computing power as we have been these past 15 years I don't even want to think about how big and complex an encryption system you'll need to protect yourself from what the average geek will have sitting on his desk in 2030.

        • by sudonim2 (2073156)
          Iridium sats operate @200MHz [wikipedia.org]. My, nearly obsolete, cell phone is 2.5x as powerful as an Iridium satelite. That's why microsatelites are the future. They're cheap enough to send dozens up at once, which allows you to update the network more easily.
          • by hairyfeet (841228)

            Geez I've honestly thrown away computers 5 times that powerful because they were so wimpy i couldn't think of anything to do with them. i don't think the future is the microsat simply because smaller equals easier broken and with all the space junk we got whizzing around up there something the size of a pebble at that speed could fuck your microsat all to hell and add yet more debris.

            No I think the answer will be that space tug idea we saw the other day and then doing like we would here on earth and simpl

    • by t4ng* (1092951)
      Since GMR is GSM adapted for satellite communications, I'm guessing that the fall of GMR was inevitable since GSM has been cracked.
    • by slew (2918) on Friday February 03, 2012 @09:21PM (#38923159)

      (...taking into account what has happened with other algorithms (DES, anyone?))

      Not sure you really have a good example there. Apparently, the NSA helped IBM select the S-box for DES and didn't give any explaination for this. Contemporary cryptographers (e.g, Diffie and Hellman) were up-in-arms that the NSA was trying to put a backdoor into DES and questioned the secrecy of the development of the process. Little did they know that the NSA was just collaborating with IBM to avoid a potential weakness in the random S-boxes to be more robust against differential analysis attacks.

      Certainly as a general rule security through obscurity is not a great general strategy, however, DES probably isn't a good example to illustrate this since at the time, the NSA knew much more about breaking encryption than contemporary public cryptographers.

      To me, it's like you're a CPA/EA and letting your know-it-all teenager check over your tax return. Maybe they'd find some mistake or deduction that you didn't find, or maybe they will figure out how much money you make and want a raise in their allowance. It's a tradeoff for sure. But it isn't like taking your return to H&R Block and asking them to check it over. Maybe it's more like the H&R Block situation now, but with DES back in the 70's, it was sorta more like the teenager situation.

      • by AHuxley (892839)
        Re : "IBM to avoid a potential weakness in the random S-boxes"
        http://cryptome.org/nsa-v-all.htm [cryptome.org] "For this reason IBM developed Lucifer* with a key 128 bits long. But before it submitted the cipher to the NBS, it mysteriously broke off more than half the key."
        "As a result of closed-door negotiations with officials of the NSA, IBM agreed to reduce the size of its key from 128 bits to 56 bits. The company also agreed to classify certain details about their selection of the eight S-boxes for the cipher." *Luc
  • I'm sure this violates some wiretapping laws - but how are "they" going to find out? No matter: the equipment and means to crack these calls will be outlawed, because only outlaws will have them.

  • Just record all the transmitted data and you can decrypt in half an hour. The cluster will just let you listen sooner but it's unnecessary.

    (i am assuming it doesn't do frequency hopping since it's working in a narrow satellite band).

  • by mark-t (151149) <markt@lynx . b c.ca> on Friday February 03, 2012 @08:26PM (#38922709) Journal

    Is it really so hard to use an encrypted key exchange, such as DHKE, to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?

    Such key exchanges practically scream "USE ME" for situations like encrypting anything being transmitted over the air, such as cell phone usage.

    Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM, at least not until somebody develops an other efficient algorithm to solve the discrete log problem, or unless they had a quantum computer on the job that is more powerful than any ever yet built,

    • by mcrbids (148650)

      Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM

      I don't get it. Somehow, you seem to have missed that one of the main points of a key exchange is to protect you from a MITM attack? See: Certificates, how do they work? [tldp.org] You even said: "to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?"...

      Well, if they could do a MITM, wouldn't they be listening in?

      (cough)

      • by mark-t (151149)
        You can't readily be an MitM for OTA broadcasts though, unless relays are involved, and you can guarantee to be able to fake one of the relays.
      • by mark-t (151149)
        Oh, also, the purpose of a key exchange is *NOT* to protect you from an MitM. The purpose of a key exchange is to protect you from eavesdropping, since with a key exchange no unencrypted data *EVER* appears on the wire or in the broadcast. With an MitM, that wouldn't matter, since an MitM could intercept the communication and pretend to abide by the key exchange protocol for both sides, using the opportunity to actually acquire the encryption sequence that is to be used for the remainder of the transmiss
        • by emj (15659)

          Basically
          * key exchange -> you need to be a man in the middle for every call.
          * public key/private key -> you just need to listen to the traffic, and decrypt it with keys acquire before or after listening.

          • I don't know what point you think you're making here.

            In the digital age, being a MitM for [i]every[/i] conversation of interest is very easy - if you can do it once, you can do it pretty much ad nauseum. The whole point of encryption is the fundamental recognition that modern communications let's just about anybody listen in, at any time, without too much trouble.

    • by slew (2918) on Friday February 03, 2012 @09:41PM (#38923301)

      The problem wasn't really the key exchange (which is also problematic as it uses the A3 authentication technique similar to SIM), but the actual cipher itself was weak.

      As an example, you could use DHKE to exchange keys, but if you cipher is E(data) = ROT13(data^key), you have a problem.

      Of course they didn't use that poor a cipher, but the cipher they did use was running in software on a dsp, so it had to be simple, so for GMR-1, they chose to XOR the data with a jittered LFSR (similar to GSM encryption). The techniques used to break GSM encryption apparently work great for GMR as well. I don't yet know many details about GMR-2, but it appears to have different weaknesses than GMR-1 (something related to being based on 8-bit math and incomplete key-data mixing).

      However, yet they could have done better, but they probably just wanted something that could run on a low-power DSP that already existed on the phone.

      • by mark-t (151149)
        More probable is that they would use an RSA-based key exchange, which cannot ever be solved in polynomial time (because you never see either party's key in the transmission)
      • by tlhIngan (30335)

        Of course they didn't use that poor a cipher, but the cipher they did use was running in software on a dsp, so it had to be simple, so for GMR-1, they chose to XOR the data with a jittered LFSR (similar to GSM encryption). The techniques used to break GSM encryption apparently work great for GMR as well. I don't yet know many details about GMR-2, but it appears to have different weaknesses than GMR-1 (something related to being based on 8-bit math and incomplete key-data mixing).

        Well, here are the problems.

  • Doesn't Matter (Score:5, Informative)

    by zulux (112259) on Friday February 03, 2012 @11:21PM (#38923897) Homepage Journal

    The original Motorola Iridium satellite phone has a NSA high-encryption pack available for it that fits in the back - this model with the DOD pack or a a more modern Iridium phone with another type of sleeve that I've never seen myself, is how secure communication is done over the Iridium network.

  • The encryption is a trade-off between performance and security. And you don't want too much lag caused by the encryption so that means it has to be relatively simple.

    And what this does is to allow the average person to eavesdrop on satellite calls in his/her area. It's something that at least some governments already have done for years. Or what do you think that Echelon [wikipedia.org] has been doing all these years?

  • What about setting up a project to do offer live listening to sat phone feeds at ohm2013.org?

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.

Working...