[Libre-soc-dev] new scientist article

Alain D D Williams addw at phcomp.co.uk
Tue Jun 29 23:24:02 BST 2021


Flaw in old mobile phone encryption code could be used for snooping

Technology 17 June 2021

By Matthew Sparkes

Woman holding a phone

It’s possible that some older phones may be vulnerable to a data encryption flaw

Getty Images/Tetra images RF

An algorithm from the 1990s used to encrypt mobile phone data was deliberately
weakened to allow eavesdropping, claims a team of cryptanalysts. It is
possible the flaw could still allow access to some phones in use today.

“It’s a nice weakness, from a technical point of view. But it’s still not good
to build it. Probably many people were involved,” says Christof Beierle at
Ruhr University Bochum in Germany, part of the team that identified the weakness.

The encryption algorithm in question, known as GEA-1, was first introduced in
1998 when mobile phone networks began allowing data communication for web
browsing, text messages and email – these were 2G and 3G networks, as opposed
to the newer 4G and 5G networks that use different algorithms.

The GEA-1 code was never made public for security reasons, but Beierle and his
colleagues obtained a copy of it from an anonymous source and scoured it for
signs of a backdoor. They found a bug that meant its supposed 64-bit
encryption keys were actually reduced to 40-bit, making it vastly easier to
break into.

Matthew Green at Johns Hopkins University in Baltimore, Maryland, says that
the reduction in key length would make breaking in 16,777,216 times less
computationally intensive than it should have been.

The researchers say that the flaw occurs because two vital parts of the
algorithm have a coincidental relationship that makes them less random than
they should be. The team did a statistical analysis on generating these parts
to see how likely such an error would be, and found that in a million attempts
they didn’t replicate the problem. They claim that this rules out the idea
that it was accidental.
Read more: How Apple’s efforts to bring privacy to the masses will change the web

Alan Woodward at the University of Surrey, UK, says the discovery is shocking.
“The chances of it happening and it being an accident are greater than winning
the lottery. The corollary is that someone did this deliberately. And that’s a
problem because it’s still around today in some ways, you have to be backwards compatible.”

Countries throughout Africa, Central America and South America still use 2G
and 3G networks, while many other nations use it as a backup system. The
European Telecommunications Standards Institute (ETSI), which oversees the
creation of phone network standards, prohibited the inclusion of GEA-1 in
phones from 2013 onwards as part of routine efforts to upgrade security as
computing power increases. But the researchers found that it was still present
in the Apple iPhone 8 and XR from 2017 and 2018, respectively, and the Samsung
Galaxy S9, also released in 2018, as well as some other phones running
Google’s Android operating system.

The team revealed details of the flaw to the ETSI and the phone manufacturers
found to still be using it ahead of publication so that they could rectify the
problem. Apple told New Scientist that iPhone 12 models don’t support GEA-1,
and that support has been removed from iPhone 7 to 11 models. iPhone SE and 6s
models will be updated to remove the algorithm later this year, it said.
Google told New Scientist that it has removed the code from new devices and
that other Android phone manufacturers would be following suit. Samsung didn’t
respond to a request for comment before publication.

This flaw matters today because when devices open a communications channel,
they begin with modern security standards, and then work backwards until they
reach the most recent level of technology that both devices support. It is
feasible that an attack could be staged where a phone is asked to revert back
to an old standard, such as GEA-1, and that the data could then be unencrypted
using this weakness. A “G” symbol appears next to your network connection when
using this old standard.

“That’s the problem with these things,” says Woodward. “They have a long, long
tail. It opens up a can of worms.”

The ETSI is an independent organisation with 900 members that include
universities, companies and government organisations. It has a committee
called the Security Experts Group (SEG), which approves confidential standards
in order to check that they are watertight. New Scientist asked the ETSI who
was on the SEG at the time that GEA-1 was passed, but it didn’t respond
directly to the question. A spokesperson said that the organisation “followed
the export control regulations” in place at the time.
Read more: Why is the UK warning Facebook not to encrypt its messaging services?

The spokesperson said GEA-1 was developed in 1998, when regulations limited
the strength of encryption that could be exported, but didn’t specify which
regulations. “When these were eased a year later, ETSI members introduced
GEA-2,” the spokesperson says. The research team which found the GEA-1 flaw
also discovered weaknesses in GEA-2 but they were less severe and were more
plausibly accidental.

It is public knowledge that Western nations have placed export controls on
various technologies, including encryption software, since the cold war era.
In the 1990s, the US restricted exports of software with encryption keys over
40 bits. In 1999, the year after GEA-1 was developed, this restriction was
lifted to 56 bits. Other nations, such as France, made similar changes around
the same time.

Beierle says the flaw was a clever way of meeting a 40-bit limit on
encryption, while also making the software appear to be a more powerful tool.
It is unknown who created the backdoor or at whose request, or whether it was
ever used.

The discovery should be a cautionary tale about other encryption methods, says
Green. “In the late 2030s, you should expect a team of researchers to be
writing a paper just like this one, except it will be about the encryption
you’re using today,” he says.

Journal reference: Cryptology ePrint Archive, DOI: 10.1007/978-3-030-77886-6_6

Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  https://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

More information about the Libre-soc-dev mailing list