Satellite Phone Encryption Cracked 54
New submitter The Mister Purple writes "A team of German researchers appears to have cracked the GMR-1 and GMR-2 encryption algorithms used by many (though not all) satellite phones. Anyone fancy putting a cluster together for a listening party? 'Mr. Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000. His demonstration system takes up to half an hour to decipher a call, but a more powerful computer would allow eavesdropping in real time, he said.'"
Now that the secret is out... (Score:3)
sony's psn botnet (Score:1, Insightful)
Re:sony's psn botnet (Score:4, Funny)
Yeah, 'cause downloading bad movies is more fun with 9,6kbps over iRIDIUM....
It would probably be cheaper to make the movie than download it over iRIDIUM...
Re: (Score:2)
Re: (Score:2)
Sony manufactured every device connected to PSN. They don't need a botnet as they have the proven manufacturing capability to build the hardware necessary.
Re: (Score:3)
Security through obscurity (Score:5, Insightful)
Re:Security through obscurity (Score:5, Insightful)
Re:Security through obscurity (Score:4, Interesting)
Re: (Score:1)
You're assuming they want it truly secure. Reality is governments around the world want backdoors.
It also depends when the protocols were designed.
Today compute is cheap, and so more complex encryption algorithms are generally a no-brainer. However, if you go back just a few years, running complex algorithms would have sucked power (i.e., battery) at an unacceptable rate. The engineering trade off was between security and power (and perhaps throw in bulk as well, depending on the chip sizes in the pre-SoC days).
If one had a clean sheet design now, you'd probably go with AES and DH/RSA/elliptical curve,
Comment removed (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Not exactly (Score:3, Informative)
As sat spectrum is severely limited, GMR transmits nearly no frames with (unused) fixed plain text.
So deciphering it using known plaintext is more difficult than for GSM.
So Yeah, it took them one month since that :
http://events.ccc.de/congress/2011/Fahrplan/events/4688.en.html [events.ccc.de]
video :
http://28c3.mirror.speedpartner.de/CCC/28C3/mp4-h264-LQ/28c3-4688-en-introducing_osmo_gmr_h264-iprod.mp4 [speedpartner.de]
http://28c3.mirror.speedpartner.de/CCC/28C3/mp4-h264-LQ/28c3-4688-en-introducing_osmo_gmr_h264-iprod.mp4.torrent [speedpartner.de]
Re:Security through obscurity (Score:5, Interesting)
(...taking into account what has happened with other algorithms (DES, anyone?))
Not sure you really have a good example there. Apparently, the NSA helped IBM select the S-box for DES and didn't give any explaination for this. Contemporary cryptographers (e.g, Diffie and Hellman) were up-in-arms that the NSA was trying to put a backdoor into DES and questioned the secrecy of the development of the process. Little did they know that the NSA was just collaborating with IBM to avoid a potential weakness in the random S-boxes to be more robust against differential analysis attacks.
Certainly as a general rule security through obscurity is not a great general strategy, however, DES probably isn't a good example to illustrate this since at the time, the NSA knew much more about breaking encryption than contemporary public cryptographers.
To me, it's like you're a CPA/EA and letting your know-it-all teenager check over your tax return. Maybe they'd find some mistake or deduction that you didn't find, or maybe they will figure out how much money you make and want a raise in their allowance. It's a tradeoff for sure. But it isn't like taking your return to H&R Block and asking them to check it over. Maybe it's more like the H&R Block situation now, but with DES back in the 70's, it was sorta more like the teenager situation.
Re: (Score:3)
http://cryptome.org/nsa-v-all.htm [cryptome.org] "For this reason IBM developed Lucifer* with a key 128 bits long. But before it submitted the cipher to the NBS, it mysteriously broke off more than half the key."
"As a result of closed-door negotiations with officials of the NSA, IBM agreed to reduce the size of its key from 128 bits to 56 bits. The company also agreed to classify certain details about their selection of the eight S-boxes for the cipher." *Luc
Wiretapping (Score:2)
I'm sure this violates some wiretapping laws - but how are "they" going to find out? No matter: the equipment and means to crack these calls will be outlawed, because only outlaws will have them.
Re: (Score:1)
So next they will outlaw satellite dishes and computer clusters? How is Joe Sixpack going to watch Fox 'news' now?
Forget the cluster (Score:2)
Just record all the transmitted data and you can decrypt in half an hour. The cluster will just let you listen sooner but it's unnecessary.
(i am assuming it doesn't do frequency hopping since it's working in a narrow satellite band).
Re: (Score:2, Offtopic)
It is almost, but not entirely unlike proper grammar.
Re: (Score:2, Insightful)
Is there a variety of "many" that doesn't mean "not all"?
Yes. It's called "many". It means "a large number". You could say for example "Many humans live in the Solar system", even though none have ever lived outside of it.
Re: (Score:1)
Not that you know of, anyway.
Re: (Score:1)
Re: (Score:2)
Does this mean you classify every other form of life on Earth as "human" too? WTF.
And why do you talk as if Panspermia has been proven?
Re: (Score:2)
You don't know that. For all we know, some more-developed race, seeing the Native Americans were going to be wiped out by European settlers, grabbed a bunch of them and planted them on another planet to develop on their own and live in peace, and they're still out there.
http://en.memory-alpha.org/wiki/The_Paradise_Syndrome_(episode) [memory-alpha.org]
Obviously not very likely, but nevertheless, always a possibility. So it is possible, however ridiculously remote, that there's humans, developed on Earth, who are living outsi
Re: (Score:1)
Is sensible encryption really that hard? (Score:5, Insightful)
Is it really so hard to use an encrypted key exchange, such as DHKE, to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?
Such key exchanges practically scream "USE ME" for situations like encrypting anything being transmitted over the air, such as cell phone usage.
Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM, at least not until somebody develops an other efficient algorithm to solve the discrete log problem, or unless they had a quantum computer on the job that is more powerful than any ever yet built,
Re: (Score:2)
Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM
I don't get it. Somehow, you seem to have missed that one of the main points of a key exchange is to protect you from a MITM attack? See: Certificates, how do they work? [tldp.org] You even said: "to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?"...
Well, if they could do a MITM, wouldn't they be listening in?
(cough)
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Basically
* key exchange -> you need to be a man in the middle for every call.
* public key/private key -> you just need to listen to the traffic, and decrypt it with keys acquire before or after listening.
Re: (Score:2)
I don't know what point you think you're making here.
In the digital age, being a MitM for [i]every[/i] conversation of interest is very easy - if you can do it once, you can do it pretty much ad nauseum. The whole point of encryption is the fundamental recognition that modern communications let's just about anybody listen in, at any time, without too much trouble.
Re: (Score:2)
Re:Is sensible encryption really that hard? (Score:5, Informative)
The problem wasn't really the key exchange (which is also problematic as it uses the A3 authentication technique similar to SIM), but the actual cipher itself was weak.
As an example, you could use DHKE to exchange keys, but if you cipher is E(data) = ROT13(data^key), you have a problem.
Of course they didn't use that poor a cipher, but the cipher they did use was running in software on a dsp, so it had to be simple, so for GMR-1, they chose to XOR the data with a jittered LFSR (similar to GSM encryption). The techniques used to break GSM encryption apparently work great for GMR as well. I don't yet know many details about GMR-2, but it appears to have different weaknesses than GMR-1 (something related to being based on 8-bit math and incomplete key-data mixing).
However, yet they could have done better, but they probably just wanted something that could run on a low-power DSP that already existed on the phone.
Re: (Score:2)
Re: (Score:3)
Well, here are the problems.
Doesn't Matter (Score:5, Informative)
The original Motorola Iridium satellite phone has a NSA high-encryption pack available for it that fits in the back - this model with the DOD pack or a a more modern Iridium phone with another type of sleeve that I've never seen myself, is how secure communication is done over the Iridium network.
Re: (Score:3)
yea total rip off. Paying for a network that scales by about $5m for every 1000 concurrent callers you wish to add to your network should be free.
Not surprising. (Score:2)
The encryption is a trade-off between performance and security. And you don't want too much lag caused by the encryption so that means it has to be relatively simple.
And what this does is to allow the average person to eavesdrop on satellite calls in his/her area. It's something that at least some governments already have done for years. Or what do you think that Echelon [wikipedia.org] has been doing all these years?
ohm2013.org idea? (Score:2)