Researchers: 2G Connection Encryption Deliberately Weakened To Comply With Cryptowar Export Restrictions
from the endangering-phone-users-in-the-name-of-public-safety dept
Researchers have discovered a backdoor in 2G encryption, one that was deliberately created. As this report by Lorenzo Franchesi-Bicchierai for Motherboard points out, the researchers didn't necessarily know it was deliberate when they discovered it.
Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, "from a source." They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.
The researchers said in their research paper the backdoor appeared to be deliberate. They reverse-engineered the algorithm, trying to randomly replicate the weakness in the random number generator they'd discovered. They were unable to do so. After observing this, they came to a pretty dead-on conclusion:
This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.
This was confirmed shortly after the paper [PDF] was published.
A spokesperson for the organization that designed the GEA-1 algorithm, the European Telecommunications Standards Institute (ETSI), admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption.
This algorithm hasn't been in common use for years. The 2G standard has been abandoned in favor of 3G and 4G, eliminating this deliberately induced weakness. Export regulations no longer require deliberate weakening of encryption, so current standards are far more secure.
But even though 2G networks haven't been in common use since the early 2000's, this weakness (which still exists) still has relevance. One of the features of Stingray devices and other cell site simulators is the ability to force all connecting phones to utilize a 2G connection.
Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
This means anyone using a cell site simulator can break the weakened encryption and intercept communications or force connecting devices to cough up precise location data. While law enforcement agencies (including the FBI) claim not to use any features that allow interception, the US is not the only customer for these devices. And there's been no confirmation that any US agency isn't using these to intercept communications they feel aren't protected by the Fourth Amendment, like conversations occurring in other countries (remember: the military had Stingrays first) or close to our nation's borders.
This revelation adds more info to the body of work dealing with the first cryptowar that began all the way back in the 1990s. Back then, the US government considered the export of strong encryption to be a criminal act. The NSA was one of the beneficiaries of this determination. This determination -- and the NSA's input -- resulted in the standardization of weakened encryption by the RSA. Even after the US government abandoned its criminalization of strong encryption, state-sponsored hackers (including our own NSA) were often able to force to force sites and content delivery services to utilize "export grade" encryption rather than stronger options in order to intercept communications and content.
Fortunately, most of that is behind us now. Our communications are now protected by encryption that hasn't been deliberately weakened. But it's still out there. And it can still be exploited by attackers with the right tools.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 2g, backdoor, encryption, gea-1, weakened
Reader Comments
Subscribe: RSS
View by: Time | Thread
So yeah, I guess we are protected, as long as our phones are not capable (or, perhaps, willing) to accept a 2G connection. Which phones are those, again?
[ link to this | view in chronology ]
Re:
The BlackBerry 10 phones had a setting to disable it. I don't know whether it worked as advertised, or whether it was unique in having this setting.
[ link to this | view in chronology ]
Re:
Not many, if any, just yet. I can only speak for the devices in use by me and my family right now but, my mothers Galaxy S21, my brothers Galaxy S10+, my Galaxy Note 20 5G, and my Galaxy Tab S7+ 5G all still support the 2G network as a fallback and there's no setting to keep it from doing so (the available network options are 2G/3G/LTE/5G, 2G/3G/LTE, and 2G/3G there's no option to remove the earlier generation networks only the higher ones).
[ link to this | view in chronology ]
"Encyption"
Tim, you might want to fix that.
[ link to this | view in chronology ]
Re: "Encyption"
"Encyption" is just a weakened form of "encryption".
[ link to this | view in chronology ]
Re: Re: "Encyption"
Tim has upgraded us to the good stuff now. Yay, we're secure-er!
[ link to this | view in chronology ]
"standardization of weakened encryption by the RSA"
What? RSA is a private firm, founded by some of the inventors of public-key cryptography. RSA doesn't standardize anything. Nor does the NSA, if "RSA" is a typo for "NSA". Not sure what you were trying to say here.
[ link to this | view in chronology ]
Re: "standardization of weakened encryption by the RSA"
RSA developed an encryption method that then was accepted as a standard. However, it was revealed years later that the NSA convinced RSA to deliberately weaken their method for NSA's benefit.
[ link to this | view in chronology ]
Re: "standardization of weakened encryption by the RSA"
The third result when doing a search for RSA.
"RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977"
https://en.wikipedia.org/wiki/RSA_(cryptosystem)
For even more detail about the problem see; https://www.scientificamerican.com/article/nsa-nist-encryption-scandal/
[ link to this | view in chronology ]
Re: Re: "standardization of weakened encryption by the RSA&
The RSA cryptosystem (never called "the RSA") has nothing to do with this scandal. The RSA company (also not "the RSA") didn't create, weaken, or standardize the bad algorithm, but used it after accepting a bribe from the NSA. The NSA created it and NIST standardized it.
[ link to this | view in chronology ]
Re: "standardization of weakened encryption by the RSA"
"What? RSA is a private firm, founded by some of the inventors of public-key cryptography. RSA doesn't standardize anything."
I beg to differ. It's really the complete opposite; Most industrial standards were designed and accepted by the private sector to begin with.
It's normally no more complex than that a private actor builds a flexible and easily adopted standard and then releases it under some form of more permissive patent or as FOSS. Like USB, for instance, every other slot on your computers motherboard, or various AC standards. Apache server software. Or, related to this topic, AES encryption.
The issue here is that the RSA built the encryption with NSA input, deliberately weakening it, and that the standard wasn't properly vetted by independent actors. This is the very exact reason that today most security engineers don't accept proprietary standards but insist on using encryption algorithms from the FOSS sector.
[ link to this | view in chronology ]
Re: Re: "standardization of weakened encryption by the RSA"
The algorithm discussed in the article is GEA-1, which was defined by ETSI in 1988. (ref: https://www.schneier.com/blog/archives/2021/06/intentional-flaw-in-gprs-encryption-algorithm-gea-1.h tml)
As far as I can tell, RSA had nothing to do with it. A private organization can propose a standard, but it can't enact it.
The article refers to "the RSA", which is not the usual way to refer to a private firm - in the singular (think "the Apple", "the Google").
So I'm still not sure what Tim was trying to say there.
[ link to this | view in chronology ]
Well
V'z fubpxrq!
[ link to this | view in chronology ]
In other words
Back then, the US government considered the export of strong encryption to be a criminal act.
Put in simpler terms, they considered speech to be a criminal act if said speech crossed international borders. It continues to amaze me how easily people can ignore the fact that math is just speech when they don't like how things are being spoken.
[ link to this | view in chronology ]
Re: In other words
Well, back then, crypto was also munitions (see: wikipedia on ITAR), so you were literally shooting your mouth off by using crypto.
No less silly, no less unconstitutional. And no less costly to defend.
[ link to this | view in chronology ]
Re: In other words
Worse than that, it was also ostensibly illegal to talk to foreign people, except Canadians, about strong cryptography within the USA. And researchers were worried about publishing papers, attending conferences, etc.
The whole reason the PGP source code was published as a book was so judges would understand that it was speech. The hope was that they'd be reluctant to ban export of a book. (It worked: the government didn't even ask them to, and "PGPi", the international version of PGP, came from a scan of the book.)
In Bernstein v. United States, "the Ninth Circuit Court of Appeals ruled that software source code was speech protected by the First Amendment and that the government's regulations preventing its publication were unconstitutional." Of course, the DMCA anti-circumvention provisions are the same thing all over again, and bunnie's lawsuit moves slowly.
[ link to this | view in chronology ]
Re: In other words
By this definition there should be no export regulations on designs of weapons, like nerve agents, explosives, or anything else that can be explained with math, like the calculations to make a nuke. Bizarre, unless math is any different than chemistry. And why would that be?
[ link to this | view in chronology ]
Re: Re: In other words
You seem to have hit the nail on the head. Unless you have a security clearance and learned those weapons designs as a government employee/contractor, there isn't any law stopping you from exporting weapons designs. There was a magazine that was going to publish nuclear weapon designs and was sued by the federal government. Unfortunately, the case was made moot by someone else leaking similar designs before it could be ruled on.
Prior restraints on speech are very hard to make stick in American law unless you've agreed to such restraints for security clearances and the like.
[ link to this | view in chronology ]
Re: Re: Re: In other words
There are several laws/regulations that will ensure you free room and board at a Federal Detention Facility. The list is to long to post here but here's a link to it/them (There's more than one).
https://research.ncsu.edu/administration/compliance/research-compliance/export-controls/export -controlled-items/
[ link to this | view in chronology ]
funny how it's always perfectly ok to weaken protection that then allows the public to be monitored but never ok for the protection to be weakened when it might allow access to whetever the software is supposedly protecting for a company or even a government! if they weren't such lying, cheating, self-serving assholes, who could be relied on to do the jobs they were elected to do, there'd be no worries!
[ link to this | view in chronology ]
Partly true, but not for lack of trying
Fortunately, most of that is behind us now. Our communications are now protected by encryption that hasn't been deliberately weakened. But it's still out there. And it can still be exploited by attackers with the right tools.
Not so much unfortunately, as while this particular deliberate backdoor may not be overly relevant you've got people and agencies trying to gut the current encryption systems to add in new totally-not-backdoors-stop-calling-them-that to every other form of communications used by the public they can find.
[ link to this | view in chronology ]
Basic encryption?
lets see.
the standard is published and out there, and you think someone wont be able to break it?
unless you have a secondary encryption, you cant even suggest its protected.
To connect to a tower, your phone has to generate the signal and codes. If you tell the tower to only admit a certain code to verify, shouldnt it be kinda easy to read whats being sent?
[ link to this | view in chronology ]
Re: Basic encryption?
You need to do some homework.
[ link to this | view in chronology ]
Re: Basic encryption?
"If you tell the tower to only admit a certain code to verify, shouldnt it be kinda easy to read whats being sent?"
That's not how encryption works...
[ link to this | view in chronology ]
Re: Re: Basic encryption?
Phone has to connect some how and if not allowed unless it uses certain formats, as mentioned before about Limiting 3g, 4g to only let 2g do it.
Why not limit the formats used in 3g 4g?
[ link to this | view in chronology ]
Re: Basic encryption?
"the standard is published and out there, and you think someone wont be able to break it?"
Correct.
For much the same reason that knowing the moves of the world MMA champion won't give you much hope of beating him in a brawl. Knowing how a tank is built won't help you out at all trying to stop it. And knowing how an encryption algorithm works will only tell you that unless you already know part of the generated key you still can't break it if every supercomputer in the world was working on it until the heat death of the universe.
You need to do your homework. In your example the cell phone can connect to the tower only because the network using the tower and the SIM card on your phone already possess the relevant keys. The transmission can only be decoded if the listener already possesses one half of the key in question.
In brief, if your network is compromised, so is your encrypted communication. If not, then it isn't, no matter how much power and intelligence you throw at it.
[ link to this | view in chronology ]
Re: Re: Basic encryption?
The bigger/harder the encryption, the more lag you will get in communication.
Its a format to condense the Language and sounds down to let them use Less bandwidth. Just say its a ZIP FILE.
Every time you add to it, 8bit, 16bit, 32bit, Wont matter if you want to get the Sound/voice back and forth in a hurry. You will cut any corner to make it sound Natural. NOT a delay in the middle, while your Phone de-scrambles, all the encoding.
And the base of the encoding, is in the spec for 3g,4g. ANd if the phone cant make a Proper connection, it Should change its encoding, until it finds what works. Didnt say it was going to be easy, Just said its possible to do, esp. if you CONTROL the antenna.
ANd if you think they didnt think about this, and MAYBE add this option. Then think about how RADIO signals work. You are using an Analog signal to create Digital transfers.
[ link to this | view in chronology ]
Serious questioner
"...back in the 1990s. Back then, the US government considered the export of strong encryption to be a criminal act."
I do vaguely recall that a low bit encryption was allowed by civilians - whereas the US Govt forbade encryption at and above n- bits. I believed that to be because they had the computing power to break the weaker encryption and not the stronger (within a chosen time limit).
Anybody have a link to the details of what I'm (partially) remembering?
And how do we square this with the sky-will-fall guy feeling we all have that "intentional weakened encryption" (backdoors) will irreversibly ruin online life as we know it?
I feel encryption (or trust in encryption) is needed for banking etc but I am not sure I can articulate why my feelings are the mathematically bulletproof truth.
[ link to this | view in chronology ]