A group of scientists from several European universities published a report that many information security experts and the media have already called sensational. The fact is that according to this study, two old encryption algorithms, created in the 1990s and 2000s, but still used in mobile networks, are vulnerable and allow users to monitor Internet traffic. First of all, we are talking about the GEA-1 algorithm, which was created and used many years ago, when the GPRS standards in 2G networks were adopted.
Even worse, the researchers write that the likelihood of such a vulnerability accidentally occurring is extremely small. That is, scientists suggested that the algorithm was deliberately weakened in order to provide law enforcement agencies with a “loophole” and comply with laws restricting the export of reliable encryption tools. After the publication of the document, the developers of the algorithm confirmed this theory.
“According to our experimental analysis, guessing six winning numbers in the German lottery twice in a row is about as likely as accidentally getting these key properties,” writes one of the report’s authors, Christoph Beierle of the Ruhr University in Bochum, Germany.
The researchers explain that two old encryption algorithms, GEA-1 and GEA-2, fell into their hands at once, which are proprietary, that is, usually inaccessible to the general public and outsiders. After examining them, experts came to the conclusion that the algorithms are vulnerable to attacks that can decrypt all user traffic.
To reverse GEA-1, in fact, scientists had to create a similar encryption algorithm themselves, using a random number generator often used in cryptography. Even so, they were unable to create the same weak encryption scheme as in the original.
“After a million tries, we don’t even come close to such a weak sample [as the original]. This means that the weakness in GEA-1 was unlikely to be an accident, meaning the 40-bit security level was driven by export regulations, the document says. “Because of these political demands, millions of users seem to have been poorly protected while surfing [the web] for many years.”
The problem with GEA-1, developed back in 1998, is that it only provides 40-bit protection. According to the researchers, this allows an attacker who can intercept traffic, recreate the key, and decrypt all data.
The representative of the European Telecommunications Standards Institute ( ETSI ), which developed the GEA-1 algorithm, admitted in an interview with Vice Motherboard that the algorithm does have weaknesses, and this was done intentionally:
“We followed the rules: We followed the export control rules that limited the capabilities of GEA-1.”
At the same time, the “descendant” of GEA-1 – GEA-2, no longer had such glaring problems. In fact, an ETSI spokesman explained that at the time of the creation of the GEA-2, export control rules had already been relaxed. However, the researchers were able to decrypt traffic protected by GEA-2 using a more sophisticated attack, and concluded that GEA-2 also “does not provide sufficient security for today’s standards.”
We can only console ourselves with the fact that at present GEA-1 and GEA-2 are not very widespread, since new standards for 3G and 4G networks have long been adopted. In 2013, ETSI completely banned operators from using the GEA-1 algorithm, but the researchers write that, despite this, GEA-1 and GEA-2 are used to this day, because GPRS is still used as a backup communication option in many countries. and networks.
“In most countries, [the risk] is not very high and is significantly lower than in the early 2000s, as GEA-3 and GEA-4 are in use today. But the phones still support GEA-1. There are scenarios where a mobile phone can be tricked into using the GEA-1 even today, ”says co-author Howard Ruddum.
To prove these words, experts have tested several modern smartphones based on Android and iOS to see if they can support old and vulnerable algorithms. Alas, the experiment showed that GEA-1 and GEA-2 are still supported. It is also worth adding that many IoT devices also still use 2G modems and can also be vulnerable.