Report insinuates that early mobile data networks were deliberately backdoored
Researchers from several universities in France, Germany, and Norway have concluded that the encryption algorithm GEA-1, used in early mobile data networks in the 1990s and 2000s, was deliberately backdoored when it was introduced. GPRS is a mobile data standard based on 2G technology, and many countries and network providers still rely on it as a fallback for mobile data, SMS, and phone calls. GEA-1 encryption is used between the phone and the base station, but it has been found to have been deliberately weakened. GEA-2, the successor to GEA-1, was also found to have subpar protection, though no evidence of a deliberate backdoor was found.
Although GEA-1 or GEA-2 are proprietary encryption algorithms, the researchers obtained them from “a source that prefers to stay anonymous.” According to the report, there is a strong statistical likelihood that the GEA-1 algorithm was significantly weakened and not actually 64-bit secure as advertised. Instead, it provided only 40-bit security; 40-bit encryption provides very weak security, as a network of computers was capable of brute-forcing a key in a short period of time. Matthew Green, a cryptography researcher at Johns Hopkins University, has boosted claims that this is a deliberate “backdoor”.
In their attempts to reverse engineer both GEA-1 and GEA-2, the researchers discovered that their recreation of the GEA-1 algorithm was much more secure than the originally implemented algorithm. The researchers concluded that this was not by chance and that it was a deliberate design decision by those who had designed the GEA-1 algorithm for mobile networks in the first place. The paper states that “concretely, in a million tries we never even got close to such a weak instance”. In this instance, when combined with the ability to eavesdrop on GPRS communication, it is theoretically possible to intercept and decrypt all mobile network traffic that uses the GEA-1 algorithm with ease. Matthew Green also notes that TLS was not used by most websites at the time and that anyone using the internet was relying on these algorithms to protect their communications.
Motherboard reached out to the European Telecommunications Standard Institute (ETSI), the organization that designed the algorithm. They admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption. “We followed regulations: we followed export control regulations that limited the strength of GEA-1.” Håvard Raddum, a researcher on the paper, stated to Motherboard that “to meet political requirements, millions of users were apparently poorly protected while surfing for years.” Lukasz Olejnik, an independent cybersecurity researcher and consultant who holds a Computer Science Ph.D. from INRIA, also told Motherboard that “this technical analysis is sound, and the conclusions as to the intentional weakening of the algorithm rather serious.”
The export regulations in question are likely French Decrees 98-206 and 98-207. Announced in 1998 (the year GEA-1 was designed), the Decrees stated that means and services of cryptology in which “exhaustive search of all possible keys does not require more than 2 40 trials with a simple test” are exempt from authorization or declaration for use and import.
With GEA-2, things were different, and ETSI told Motherboard that the export controls had been eased at the time of GEA-2’s design. The researchers were still able to decrypt GEA-2 traffic, and they said that the cipher “does not offer full 64-bit security”. While the attack was more difficult “to apply in practice”, the researchers recommend that only GEA-3 and above are implemented from now on. Many devices released even in recent years still use GEA-1 and GEA-2 as fallbacks, even though ETSI prevented network operators from using GEA-1 in their mobile networks in 2013.
Because at the end of the day, all of the same incentives exist for governments to sabotage encryption standards. We like to pretend that they’re too enlightened to do this anymore, or that we’re smart enough to catch them. Maybe. I doubt it. 13/
— Matthew Green (@matthew_d_green) June 16, 2021
The original paper can be read here.