Report Finds Phone Network Encryption Was Deliberately Weakened

A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to a new research paper. Motherboard: The paper has sent shockwaves through the encryption community because of what it implies: The researchers believe that the mathematical probability of the weakness being introduced on accident is extremely low. Thus, they speculate that a weakness was intentionally put into the algorithm. After the paper was published, the group that designed the algorithm confirmed this was the case. Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, "from a source." They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

When trying to reverse-engineer the algorithm, the researchers wrote that (to simplify), they tried to design a similar encryption algorithm using a random number generator often used in cryptography and never came close to creating an encryption scheme as weak as the one actually used: "In a million tries we never even got close to such a weak instance," they wrote. "This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations." Researchers dubbed the attack "divide-and-conquer," and said it was "rather straightforward." In short, the attack allows someone who can intercept cellphone data traffic to recover the key used to encrypt the data and then decrypt all traffic. The weakness in GEA-1, the oldest algorithm developed in 1998, is that it provides only 40-bit security. That's what allows an attacker to get the key and decrypt all traffic, according to the researchers.

Very suspicious

[Mononymous]

The fact that this weakness is caused by the exact interaction of the specific algorithms chosen (random choice would have been much stronger) and that the resulting strength is exactly 40 bits very strongly suggests the kind of government interference we're used to.

Re:Very suspicious

[Cpt_Kirks]

It's not suspicious, it's OBVIOUS.

The NSA has done similar things dozens of times, that we know of.

Re:Very suspicious

[sit1963nz]

And this is why the rest of the world can NOT rely on the USA anymore than it can rely on China.

Re:Very suspicious

[ravenshrike]

Just to be clear, you do realize this was a Euro endeavor right? Almost like the lesson is you can't trust the government or something.

Re:Very suspicious

[HiThere]

Close. The lesson is that you can't trust those who have power over you. Government is one such entity, but hardly the only one.

What you usually *can* trust them to do is to act in ways that make their job easier. They are much less worried about you then about their own selves. Remember, the organization is (currently) an illusion created by numerous people in constrained circumstances acting for what they see as their own benefit.

Re:

[gTsiros]

How about we trust no person, physical or legal, and instead we trust mechanisms after close examination of their operation?

Someone hands me a piece of electronics and tells me "this encrypts stuff" might as well be a piece of coathanger wire (as far as the security it provides i mean), I can in no way verify what it actually does and the promises made by the ones providing it are as worth as the piece of wire.

Re:Very suspicious

[HiThere]

Trusting no one is self-destructive. But you need to be selective in who and how much you trust. To no one, including yourself, should you give ultimate trust. But there are lots of degrees between ultimate trust and total lack of trust.

Re:

[AnonymousNoel]

My mum is pretty gullible, but as she says "I'd rather be fooled some of the time, than be suspicious all of the time.".

Can't really fault that as a philosophy, even though I don't personally subscribe to it..

Re:

[fish_sauce]

"ultimate trust" - Me having full access to some of my friends bank accounts. I help them manage their money and expenses. Can empty their accounts easily. Not that I ever would.

When it comes to software, open source is the way to go. Everything in the open with many smart people looking over it independently. Zero trust is needed. That's one of the reasons I like open source.

Re:

[AleRunner]

The standardisation process had a number of US companies and bodies involved. If I remember correctly the encryption was changed during that process.

Re:

[sabt-pestnu]

... and the number of people with a real voice in the standardization process who thoroughly understand cryptography - and the implications of the algorithm that was presented - can probably be counted on the fingers of no hands.

Re:Very suspicious

[AmiMoJo]

Can't rely on anything developed by governments or corporations, when it comes to crypto and security.

Corps have been found to be fronts for government agencies before, and as vulnerable to legal attacks.

Re:

[larryjoe]

And this is why the rest of the world can NOT rely on the USA anymore than it can rely on China.

That the people (in the US and outside) should be suspicious of US-led encryption is suggested by this story. That the US and China deserve equal scrutiny and distrust may be true but is neither obvious nor supported by this story. This assertion of equivalence is lazy.

Re:Very suspicious

[piojo]

And this is why the rest of the world can NOT rely on the USA anymore than it can rely on China.

Surely you are joking! I cannot have private digital conversations with my friends inside China. Every tool gets co-opted by the government or blocked. When I use China-approved chat programs, the developer and the government can read everything I write, with no warrant required.

Re:

[bingoUV]

And this is why the rest of the world can NOT rely on the USA anymore than it can rely on China.

Surely you are joking! I cannot have private digital conversations with my friends inside China. Every tool gets co-opted by the government or blocked. When I use China-approved chat programs, the developer and the government can read everything I write, with no warrant required.

And ? I am waiting for you to make your point.

Re: Very suspicious

[dislexic]

You should tweet about that in Chinaâ¦. Oh they donâ(TM)t have Twitter in China? Huh, interesting. Facebook? Nope. Tank man or Poo Bear? Nope. Rampant racism in China? Yup. Currency manipulation? Yes. Espionage and ridiculous amounts of IP theft? Yeah plenty of that. Complete government control over news media? Y. They eat dog? Ehem⦠Yes. Fishing all of the oceans for literally all of the fish? Yeah. Unchecked spying on all of its people and capability to spy around the world with

Re:

[MooseTick]

A. You should tweet about that in Chinaâ¦. Oh they donâ(TM)t have Twitter in China? Huh, interesting. Facebook? Nope.
B. In the US, we tried to ban Tik-Tok for "national security" reasons

A. Tank man or Poo Bear? Nope.
B. Congressional review of Congess being overrun Jan 6 by "tourists"? Nope

A. Rampant racism in China? Yup.
B. No racism or history in the US. When the world thinks of race based slavery, China always tops that list.

A. Currency manipulation? Yes.
B. The US would never do that. Except

Re:Very suspicious

[TomWinTejas]

Since we trend much older than other aggregators like Reddit, I'm sure many Slashdotters remember when the NSA tried to push vendors to use the Clipper chip which had numerous vulnerabilities and a key escrow component which the NSA swore they wouldn't use unless it was an imminent threat to national security. Thankfully the EFF was vocal in opposition and the market rejected the "solution"... but it just illustrates the long history of such shenanigan's.

Re:

[HappyHackerness]

The solution to the clipper chip the suggested mandatory use of it was to encrypt your data first, then use the Clipper chip to encrypt it again, so you were encrypting already encrypted data. The law wasn't (yet) taking that into account.

Re:Very suspicious

[Joce640k]

40 bits was mandatory for all "export strength" encryption back in the 90s.

https://en.wikipedia.org/wiki/... [wikipedia.org]

ie. There's no news here, just journalists and Slashdot editors with short memories.

Re:Very suspicious

[Mononymous]

I think you misunderstand. The 40-bit strength here isn't some explicitly specified part of the algorithm, but an emergent property not publicly known until this new report. No one said at time of publication, "We're limiting the strength of this cipher to 40 bits to comply with government requirements."

Re:

[stephanruby]

No one said at time of publication, "We're limiting the strength of this cipher to 40 bits to comply with government requirements."

But honestly, no one is going to advertise those facts.

A deliberately crippled implementation is not something that marketers are going to brag about.

Re:

[cusco]

At that time the only organizations which could afford the systems necessary to crack a 40-bit encryption scheme and which would have had the interest in doing so were governments.

Re:Very suspicious

[williamyf]

40 bits was mandatory for all "export strength" encryption back in the 90s.

https://en.wikipedia.org/wiki/... [wikipedia.org]

ie. There's no news here, just journalists and Slashdot editors with short memories.

40Bit Strenght was mandatory for export FROM THE USoA in the 90's

TFTFY

The thing is, GSM was developed in Europe, and therefore not subjected to that restriction. The sneaky weakening of the encryption of GPRS and GSM Voice was done at the behest of European security agencies, not because any export restrictions.

If that were the case, it would have been explicit, like Windows in that era, which had different versions of the encryption depending on the country where you bought the SW.

Re:Very suspicious

[pipedwho]

Keep in mind that during the final phases before the standard was ratified, the USA was heavily involved in making a few 'changes' to the specs. Some of which were specifically in the area of the cryptographic algorithms. Weakening to 40bits is something very specific - suspiciously to allow manufactured devices in the US to be exported anywhere in the world.

I remember at the time there being a lot of heat on the algorithm design being potentially weak due to possible interactions of LFSRs. It wouldn't surprise me if it was broken after release, but because it couldn't be changed, the 'security alert' would have been silenced. It stands to reason that it was cracked quite a few times by unrelated entities that benefited more from keeping their crack secret.

Re:

[Baki]

Which implies that either the US somehow was able to mislead european experts, or european experts collaborated with hidden weaking of our own mobile network. Both are worrying.

Re:

[Narcocide]

There was never any doubt about this in my mind. The only thing you had to know was that the 128-bit encryption was illegal to export.

Re:

[CubicleZombie]

The article is written like it's some kind of secret conspiracy, then:

"This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations."

Uh, so it's just export regulations.

Re:Very suspicious

[sconeu]

Thanks, guys, I was just coming here to point this out. The late 90s were very much part of the crypto wars. Phil Zimmerman had been investigated by Congress in 1995, but export controls were still a thing. Remember there were two versions of IE, and (technically) two versions of Netscape.

Re:

[alexgieg]

(...) there were two versions of IE, and (technically) two versions of Netscape.

Two versions of the Java Runtime Engine too. I remember you could download the standard one, which came with, I think, 56-bits of encryption, and that was it, our you could in addition download a small file to replace one of those provided by the default installation, which unlocked unlimited-bits encryption. The download page for this extra file had a warning that using it might be illegal in my jurisdiction or something like that. Hence, whenever I updated my JRE I always had to download it too and manual

Re:

[CrappySnackPlane]

Also remember that in the mid-90s and even up to the late 90s, most places were still getting by on DES [wikipedia.org], which had been backdoored by the NSA - the prospect of Europe moving to truly secure data encryption was scary to the powers that be.

Re:

[Joce640k]

DES was never backdoored by the NSA. Quite the opposite: They fixed a weakness in it that made it vulnerable to differential cryptanalysis (although nobody outside the NSA even knew about DC at the time so nobody knew what the change was for).

Even today, DES's only known weakness is the key size.

Re:

[Anonymous Coward]

Even today, DES's only known weakness is the key size.

There definitely are attacks on DES [wikipedia.org] past the limited key size. But it is an interesting historical detail that the design of DES is proof (not that it's a secret anymore) that the NSA knew about differential cryptanalysis decades before it was public knowledge and intentionally made DES as strong as possible against that particular attack.

Re:

[CrappySnackPlane]

They fixed a weakness in it that made it vulnerable to differential cryptanalysis (although nobody outside the NSA even knew about DC at the time so nobody knew what the change was for).

No, IBM independently discovered differential cryptanalysis in 1974, per Don Coppersmith, which they referred to as the Tickle Attack or T-Attack. They kept it secret at the behest of the NSA, who had already discovered it at some point prior.

Even today, DES's only known weakness is the key size.

Which was reduced at the "guidance" of the NSA.

Re:

[sconeu]

No, it wasn't backdoored, but it WAS weakened. The original keysize was 64 bits. NSA had it lowered to 56, which they could bruteforce, but pretty much nobody else.

And yes, the changes to the S-boxes strengthened it against differential cryptanalysis.

Re:

[Narcocide]

Well the issue is they lied to consumers about it, which probably caused or at least allowed very real harm; psychological, physical, and financial. But anyone who was aware there was a separate Netscape download for non-US citizens knew what was up.

Re:

[ToasterMonkey]

Well the issue is they lied to consumers about it, which probably caused or at least allowed very real harm; psychological, physical, and financial. But anyone who was aware there was a separate Netscape download for non-US citizens knew what was up.

When was the strength of the cryptography between phone and cell tower announced to consumers? Or even if it was in use? Psychological harm.. ok... this was during the timeframe most websites MAYBE used SSL only on their login or checkout page "because cpu". Unsecured Wi-Fi networks were the norm, and secured Wi-Fi was known to be a complete joke and banned from any corporate or government networks.

"Mr. Nohl, who said he works for mobile operators who hire him to detect vulnerabilities in their systems,

Re: Very suspicious

[viperidaenz]

When was encryption mentioned to customers? Back in the late 90s.
Digital networks were marketed as being safer than analog, due to encryption.
GSM was said to be better than DAMPS.
BellSouth and later Vodafone when they bought the GSM network here in New Zealand used this as marketing over the competing Telecom AMPS/D-AMPS cellular network.
It was a thing until Telecom upgraded to CDMA2000

Re: Very suspicious

[Etcetera]

When was encryption mentioned to customers? Back in the late 90s.
Digital networks were marketed as being safer than analog, due to encryption.

I mean.... they were safer than analog, which by then everyone knew was something anyone with a scanner could listen in on. (See also: cordless landline handsets.) But that doesn't mean they had state-of-the-art encryption, just "better." I'm sure the FRS/GPRS encryption algorithm is crackable as well, but it's not designed to be impenetrable, just something sufficient for basic separation.

Re:

[Narcocide]

You don't really watch advertisements if you're asking this. The type of lies I'm talking about are probably clearly designated in your head as "acceptable marketing hyperbole" but people who bought cellphones with the optionally enabled encryption features were routinely mislead purposefully with this type of bullshit.

Re:

[PPH]

128-bit encryption was illegal to export

Back when I was setting up my first (e-mail) encryption tools, one did not 'export' the stronger libraries. We all imported them (downloaded from foreign servers).

Re:

[cusco]

Only from the US, I don't think any other countries had that restriction. Even then it was widely ignored, anyone in the world with access to MSDN at that time could just download IE with 128-bit encryption for example.

Re:

[fwad]

This is hardly news. A5/1 has been well known to be crackable in near real time for the last 20 years

Re:

[Joce640k]

Yep.

Re:

[Canberra1]

After Heartbleed, causing fallback to the weakest algorithms is a way of looking good, while leaving a backdoor in plain sight. You will see Apple with that too. What you do NOT see is these weakened algorithms removed, or a huge popup suggesting you do not allow regression., or a flashing bar saying INSECURE CONNECTION in RED. I know many sysadmins who have recompiled OpenSSH etc and left legacy and compromised crypto out altogether, and a stub that logs as a warning - or keeping those for a bit of revenge

Re:

[fish_sauce]

Are you talking about the Open Sesame SMS? It was only for specific encrypted phones as far as I know. No phones today have that vulnerability. Some paranoid people say they changed to something else that is more complicated that requires you to open the phone up and probe the electronics in a specific pattern. This is the point were I tuned out of the conversation. Got way too technical for me. Went over my head.

$5 says the bribe was paid with a check from MD

[smoot123]

Any takers?

Given the scandal about RSA and the CIA from a few years back, you'd be surprised how not surprised I am.

Yet more proof, if you still needed some, that open source encryption algorithms and end-to-end encryption are the only ways to go.

Re:

[Ziest]

If you want to protect your communications you should not use any digital methods. Google the phrase "Moscow Rules"

Re:

[Growlley]

What's Mitch McConnell got to do with this?

It's "by accident", not "on accident."

[mveloso]

I'm not sure how this usage is creeping into the vernacular, but saying "on accident" is completely incorrect. Examples:

"On accident, break glass."
"By accident, broke glass."
"By accident, break glass."

The first is "when an accident occurs, break the glass."

The second is "I broke the glass by mistake."

The third is "try to break the glass accidentally," which doesn't make any sense, given that it completely negates the "mistake" part.

Re:

[awwshit]

"On accident, pissed."
That means I pissed on an accident.

"By accident, pissed."
That means I had way too much to drink.

Re:

[CrappySnackPlane]

I think it might be a New York thing - they also say (or said, not sure how much this has changed in recent years) "on line", as in "I waited on line at the Comcast store for thirty minutes and they still couldn't fix my modem, so I can't get online right now".

Not quite as egregiously bad as "I could care less" or pronouncing the silent "t" in "often", but it still definitely rankles to encounter.

Re:

[Anubis IV]

Not quite as egregiously bad as [...] pronouncing the silent "t" in "often", but it still definitely rankles to encounter.

Oh man. This comment made me question how I say it, since the pronunciation of "often" isn't something I had ever considered. Surely there's a regional accent angle to it, right? Or at the very least "it depends"? The dictionary seems to suggest that the "t" isn't necessarily silent, but that it can be.

So far as I can tell, my own pronunciation seems to be determined by the surrounding words, specifically if the tip of my tongue is coming from or going to the front of my mouth. For instance, in "I'll often

Re:

[CrappySnackPlane]

The "t" in "often" is, as best I can tell, an example of hypercorrection - speakers trying to emulate the speaking of a higher prestige class. Other classic examples are "between you and I" (an object phrase, hence the object form of first-person singular, "me", should be used), or everybody's favorite word, "irregardless". I think it probably has some regional correlation with the Midwest and Canada, but that can easily circle back to the prestige class paradigm.

"Often" stems from the same part of Middle E

Re:

[CrappySnackPlane]

(oh, and for whatever it's worth, the Rolling Stones are British, of course - so it can't just be an American / British thing)

Re:

[Anubis IV]

(oh, and for whatever it's worth, the Rolling Stones are British, of course - so it can't just be an American / British thing)

We actually considered that angle and assumed it may have been something they picked up in their world travels.

Thanks for the great reply. Your counter-rationalization makes a lot of sense, of course.

As for the silent “t”, pragmatically speaking, I suspect the reason “soften” and the other words unequivocally use a silent “t” whereas the non-silent “t” won’t fade away in “often” comes back to the tongue, once again. The leading sounds in thos

Shockwaves? Uhh...

[DigitAl56K]

The paper has sent shockwaves through the encryption community because of what it implies

Doubt it. The deliberate weakening of encryption in the standards has been discussed many, many times, including right here on Slashdot.

Re:

[UnknowingFool]

I seem to remember it making the news that security researchers had discovered all sorts of issues with the cellphone encryption back then like the keys used were deliberately being padded with zeros.

weak encription? how about none

[FudRucker]

back in the late 1990's when cell phones were just starting to become ubiquitous and legislation was being passed to make cellphones private, i owned a police scanner that covered the full 800 MHZ part of the spectrum and i could listen to cell phones in the clear, it was not encrypted at all, those days are long over because i am fairly sure that analog scanner wont hear anything on the cellphone band today because i think they all went to digital so even if you could pick up the radio signal carrier you

Re:weak encription? how about none

[DigitAl56K]

Back in the day one way they "protected" the original analog channels was simply to pass a law that said no scanners sold in the US are allowed to receive those analog cellphone frequencies. Despite nobody using these in-the-clear analog bands today I believe scanners sold to the US are still hobbled due to this.

Re:weak encription? how about none

[FudRucker]

yes, that is true, but there were a lot of scanners that had sections of the 800MHZ spectrum locked out and all you had to do was either move or remove a diode and all the 800MHZ spectrum was accessed, both uniden and realistic had scanners capable of this simple mod

Re:

[williamyf]

You did not need a scaner, if you had a motorola handset, there was an *code to spy all the calls in your Base Station.

Re:

[PPH]

And today (AFAIK) none of the common SDR dongles have those bands locked out.

they all went to digital so even if you could pick up the radio signal carrier you wont hear any audio

Unless the digital content is actually encrypted, most of the common modulation schemes are 'out there' in the wild.

Re:

[Rockoon]

Yes.

If it isnt encrypted then it just doesnt matter any longer how its transmitted. I can put together an SDR kit that can decode any patented transmission scheme. The exceptions of note only prove the rule.

Re:

[CrappySnackPlane]

I remember a protest art project back then where some guy recorded a bunch of random phone conversations and sampled them into an album, probably shitty IDM given the trends of the time.

Think it made headlines in the NYT/NPR circuit, though Google isn't giving much love.

Sadly weakened encryption was normal in the 90's

[williamyf]

The algorithm that encripted Voice (as opposed to this one that encrypted GPRS) was also weakened, at the request of MI5 (IIRC).

Meanwhile, ETSI did all the security theatre. When in 2000 we got the ROMs with the encryption keys for the second MSC of 734-02 (the operator I was working for at the time), the ROMs could not be delivered via FedEx or UPS. No! A guy flew from Europe (Germany, to be more specific) to Venezuela with all the cliches, like the metal briefcase cuffed (I kid you not) to his wrist.

Meanwhile, a person I know (like a cousin to me) that worked in inteligence was demonstrating to me his homegrown solution to Spy GSM voice calls.

Ah, good times. ;-)

PS: And yet, security was better than in Analog/AMPS :-D

Worse, they do it by instinct now

[FeelGood314]

I worked on the implicit certificates for the UK smart grid (MQV certs based on the work by Certicom). It was based on certificates used in North America but they decided to use a longer key and change the order of the fields in the implicit cert. They claimed 128 bit security equivalent (the North American certs use a 167 bit ECC curve so are only 83 bits of security) but by swapping the fields they created a hash collision vulnerability that lead to only 64 bits security. Even after I proved this to GHCQ and everyone else in the industry agreed it was a flaw they decided not to change it. At least the NSA withdrew the two flaws I found. (The other two were incorrect implementation of the random number generator in the original Open SSL, API required to request the last random number used in DSA signing used by early smart phones).

Closed source?

[gTsiros]

By definition and with extreme prejudice untrustworthy.

Yes, i understand the combination seems quite odd.

I want names

[kmoser]

Name the people who are responsible, shame them, and never trust them again.

Not really a surprise

[DivineKnight]

With the revelation that the NSA is listening in on, and recording, every phone call in the US, and attempts by various agencies to destroy what little privacy we supposedly have, I am of the opinion that all encryption has been quietly weakened.

Years from now, we will discover a serious flaw in Signal, and wonder how it got there.

Still at it

[Malifescent]

The NSA and other Five Eyes intelligence agencies are still at it, weakening protocols and algorithms used in Wifi and 5G.

That's why you should only use tunneling algorithms that encrypt the application data with modern or validated ciphers, such as AES.

Re:

[cusco]

That's why you should only use tunneling algorithms that encrypt the application data with modern or validated ciphers, such as AES if you're doing illegal shit.

FTFY. Your other conversations really just aren't that interesting to anyone else.

Re:

[fish_sauce]

The nothing to hide argument is flawed.
https://en.wikipedia.org/wiki/... [wikipedia.org]

Some of us want privacy even if we are only talking about the latest sci-fi tv show or talking shit about our ex's.

For crying out loud I share links to cute animal pictures on an encrypted app. There's no point since they eventually end up on facebook anyway but I still do it for fun.

Re:

[cusco]

To each their own, I suppose. Personally if I'm going to waste time worrying about something it would be whether our niece's cancer comes back or if squatters are going to try to occupy our property in Cusco, not whether someone is snooping on my conversation with my brother. YMMV.

I thought this was a well-known fact

[fintux]

As far as I know, France demanded a backdoor to the GSM encryption. They would have had the option to make it much more difficult to break, but France required having a backdoor so that they can decipher the phone communication more easily. Although I also found out that GSM has a specific non-encrypted mode that is used in France, so it could be that I have mixed up that one. Still, one should always consider any electronic communication as interceptable by a third party.

Very Helpful

[Doctrinsograce]

Yes, making it easier to hack is a way to provide for less talented engineers or less educated engineers -- or even amateur engineers -- to feel more included in this nasty world that so unfairly uses merit as a measure of ability. (Note: This is not sarcasm. Sarcasm is a tool of weak people. Rather, this is irony.)

re:

[MarkUltraBlack]

Weaknesses in security algorithms and protocols are the scourge of public privacy. I believe that everyone has the full right to privacy and no one has the right to encroach on this right. Sorry for the tautology. I recently read on the Internet a lot of terrible angry comments about the work of the Amazon security system, which has gigantic security gaps. This gave me an untranslatable shock. I started looking for options and came across https://ajax.systems/ [ajax.systems] . What do you know about this brand? Is it safe