Researchers: 2G Connection Encryption Deliberately Weakened To Comply With Cryptowar Export Restrictions

from the endangering-phone-users-in-the-name-of-public-safety dept

Researchers have discovered a backdoor in 2G encryption, one that was deliberately created. As this report by Lorenzo Franchesi-Bicchierai for Motherboard points out, the researchers didn't necessarily know it was deliberate when they discovered it.

Researchers from several universities in Europe found that the encryption algorithm GEA-1, which was used in cellphones when the industry adopted GPRS standards in 2G networks, was intentionally designed to include a weakness that at least one cryptography expert sees as a backdoor. The researchers said they obtained two encryption algorithms, GEA-1 and GEA-2, which are proprietary and thus not public, "from a source." They then analyzed them and realized they were vulnerable to attacks that allowed for decryption of all traffic.

The researchers said in their research paper the backdoor appeared to be deliberate. They reverse-engineered the algorithm, trying to randomly replicate the weakness in the random number generator they'd discovered. They were unable to do so. After observing this, they came to a pretty dead-on conclusion:

This implies that the weakness in GEA-1 is unlikely to occur by chance, indicating that the security level of 40 bits is due to export regulations.

This was confirmed shortly after the paper [PDF] was published.

A spokesperson for the organization that designed the GEA-1 algorithm, the European Telecommunications Standards Institute (ETSI), admitted that the algorithm contained a weakness, but said it was introduced because the export regulations at the time did not allow for stronger encryption.

This algorithm hasn't been in common use for years. The 2G standard has been abandoned in favor of 3G and 4G, eliminating this deliberately induced weakness. Export regulations no longer require deliberate weakening of encryption, so current standards are far more secure.

But even though 2G networks haven't been in common use since the early 2000's, this weakness (which still exists) still has relevance. One of the features of Stingray devices and other cell site simulators is the ability to force all connecting phones to utilize a 2G connection.

Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.

This means anyone using a cell site simulator can break the weakened encryption and intercept communications or force connecting devices to cough up precise location data. While law enforcement agencies (including the FBI) claim not to use any features that allow interception, the US is not the only customer for these devices. And there's been no confirmation that any US agency isn't using these to intercept communications they feel aren't protected by the Fourth Amendment, like conversations occurring in other countries (remember: the military had Stingrays first) or close to our nation's borders.

This revelation adds more info to the body of work dealing with the first cryptowar that began all the way back in the 1990s. Back then, the US government considered the export of strong encryption to be a criminal act. The NSA was one of the beneficiaries of this determination. This determination -- and the NSA's input -- resulted in the standardization of weakened encryption by the RSA. Even after the US government abandoned its criminalization of strong encryption, state-sponsored hackers (including our own NSA) were often able to force to force sites and content delivery services to utilize "export grade" encryption rather than stronger options in order to intercept communications and content.

Fortunately, most of that is behind us now. Our communications are now protected by encryption that hasn't been deliberately weakened. But it's still out there. And it can still be exploited by attackers with the right tools.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: 2g, backdoor, encryption, gea-1, weakened


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 21 Jun 2021 @ 6:26am

    Our communications are now protected by encryption that hasn't been deliberately weakened.

    One of the features of Stingray devices and other cell site simulators is the ability to force all connecting phones to utilize a 2G connection.

    So yeah, I guess we are protected, as long as our phones are not capable (or, perhaps, willing) to accept a 2G connection. Which phones are those, again?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jun 2021 @ 8:44am

      Re:

      So yeah, I guess we are protected, as long as our phones are not capable (or, perhaps, willing) to accept a 2G connection. Which phones are those, again?

      The BlackBerry 10 phones had a setting to disable it. I don't know whether it worked as advertised, or whether it was unique in having this setting.

      reply to this | link to this | view in chronology ]

    • icon
      R.H. (profile), 21 Jun 2021 @ 9:21am

      Re:

      Not many, if any, just yet. I can only speak for the devices in use by me and my family right now but, my mothers Galaxy S21, my brothers Galaxy S10+, my Galaxy Note 20 5G, and my Galaxy Tab S7+ 5G all still support the 2G network as a fallback and there's no setting to keep it from doing so (the available network options are 2G/3G/LTE/5G, 2G/3G/LTE, and 2G/3G there's no option to remove the earlier generation networks only the higher ones).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jun 2021 @ 6:52am

    "Encyption"

    Tim, you might want to fix that.

    reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 21 Jun 2021 @ 7:42am

    "standardization of weakened encryption by the RSA"

    What? RSA is a private firm, founded by some of the inventors of public-key cryptography. RSA doesn't standardize anything. Nor does the NSA, if "RSA" is a typo for "NSA". Not sure what you were trying to say here.

    reply to this | link to this | view in chronology ]

    • identicon
      kallethen, 21 Jun 2021 @ 9:31am

      Re: "standardization of weakened encryption by the RSA"

      RSA developed an encryption method that then was accepted as a standard. However, it was revealed years later that the NSA convinced RSA to deliberately weaken their method for NSA's benefit.

      reply to this | link to this | view in chronology ]

    • icon
      steell (profile), 21 Jun 2021 @ 9:57am

      Re: "standardization of weakened encryption by the RSA"

      The third result when doing a search for RSA.

      "RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely used for secure data transmission. It is also one of the oldest. The acronym RSA comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977"
      https://en.wikipedia.org/wiki/RSA_(cryptosystem)

      For even more detail about the problem see; https://www.scientificamerican.com/article/nsa-nist-encryption-scandal/

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 21 Jun 2021 @ 10:57am

        Re: Re: "standardization of weakened encryption by the RSA&

        The RSA cryptosystem (never called "the RSA") has nothing to do with this scandal. The RSA company (also not "the RSA") didn't create, weaken, or standardize the bad algorithm, but used it after accepting a bribe from the NSA. The NSA created it and NIST standardized it.

        reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 22 Jun 2021 @ 2:10am

      Re: "standardization of weakened encryption by the RSA"

      "What? RSA is a private firm, founded by some of the inventors of public-key cryptography. RSA doesn't standardize anything."

      I beg to differ. It's really the complete opposite; Most industrial standards were designed and accepted by the private sector to begin with.
      It's normally no more complex than that a private actor builds a flexible and easily adopted standard and then releases it under some form of more permissive patent or as FOSS. Like USB, for instance, every other slot on your computers motherboard, or various AC standards. Apache server software. Or, related to this topic, AES encryption.

      The issue here is that the RSA built the encryption with NSA input, deliberately weakening it, and that the standard wasn't properly vetted by independent actors. This is the very exact reason that today most security engineers don't accept proprietary standards but insist on using encryption algorithms from the FOSS sector.

      reply to this | link to this | view in chronology ]

  • icon
    justok (profile), 21 Jun 2021 @ 7:43am

    Well

    V'z fubpxrq!

    reply to this | link to this | view in chronology ]

  • icon
    Cdaragorn (profile), 21 Jun 2021 @ 7:56am

    In other words

    Back then, the US government considered the export of strong encryption to be a criminal act.

    Put in simpler terms, they considered speech to be a criminal act if said speech crossed international borders. It continues to amaze me how easily people can ignore the fact that math is just speech when they don't like how things are being spoken.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jun 2021 @ 8:36am

      Re: In other words

      Well, back then, crypto was also munitions (see: wikipedia on ITAR), so you were literally shooting your mouth off by using crypto.

      No less silly, no less unconstitutional. And no less costly to defend.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jun 2021 @ 9:06am

      Re: In other words

      they considered speech to be a criminal act if said speech crossed international borders

      Worse than that, it was also ostensibly illegal to talk to foreign people, except Canadians, about strong cryptography within the USA. And researchers were worried about publishing papers, attending conferences, etc.

      The whole reason the PGP source code was published as a book was so judges would understand that it was speech. The hope was that they'd be reluctant to ban export of a book. (It worked: the government didn't even ask them to, and "PGPi", the international version of PGP, came from a scan of the book.)

      In Bernstein v. United States, "the Ninth Circuit Court of Appeals ruled that software source code was speech protected by the First Amendment and that the government's regulations preventing its publication were unconstitutional." Of course, the DMCA anti-circumvention provisions are the same thing all over again, and bunnie's lawsuit moves slowly.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Jun 2021 @ 9:16am

      Re: In other words

      By this definition there should be no export regulations on designs of weapons, like nerve agents, explosives, or anything else that can be explained with math, like the calculations to make a nuke. Bizarre, unless math is any different than chemistry. And why would that be?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Jun 2021 @ 8:11am

    funny how it's always perfectly ok to weaken protection that then allows the public to be monitored but never ok for the protection to be weakened when it might allow access to whetever the software is supposedly protecting for a company or even a government! if they weren't such lying, cheating, self-serving assholes, who could be relied on to do the jobs they were elected to do, there'd be no worries!

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 21 Jun 2021 @ 9:46am

    Partly true, but not for lack of trying

    Fortunately, most of that is behind us now. Our communications are now protected by encryption that hasn't been deliberately weakened. But it's still out there. And it can still be exploited by attackers with the right tools.

    Not so much unfortunately, as while this particular deliberate backdoor may not be overly relevant you've got people and agencies trying to gut the current encryption systems to add in new totally-not-backdoors-stop-calling-them-that to every other form of communications used by the public they can find.

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 21 Jun 2021 @ 12:42pm

    Basic encryption?

    lets see.
    the standard is published and out there, and you think someone wont be able to break it?
    unless you have a secondary encryption, you cant even suggest its protected.
    To connect to a tower, your phone has to generate the signal and codes. If you tell the tower to only admit a certain code to verify, shouldnt it be kinda easy to read whats being sent?

    reply to this | link to this | view in chronology ]

    • icon
      BernardoVerda (profile), 21 Jun 2021 @ 2:18pm

      Re: Basic encryption?

      You need to do some homework.

      reply to this | link to this | view in chronology ]

    • icon
      PaulT (profile), 21 Jun 2021 @ 11:19pm

      Re: Basic encryption?

      "If you tell the tower to only admit a certain code to verify, shouldnt it be kinda easy to read whats being sent?"

      That's not how encryption works...

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 22 Jun 2021 @ 12:43am

        Re: Re: Basic encryption?

        Phone has to connect some how and if not allowed unless it uses certain formats, as mentioned before about Limiting 3g, 4g to only let 2g do it.
        Why not limit the formats used in 3g 4g?

        reply to this | link to this | view in chronology ]

    • icon
      Scary Devil Monastery (profile), 22 Jun 2021 @ 2:17am

      Re: Basic encryption?

      "the standard is published and out there, and you think someone wont be able to break it?"

      Correct.

      For much the same reason that knowing the moves of the world MMA champion won't give you much hope of beating him in a brawl. Knowing how a tank is built won't help you out at all trying to stop it. And knowing how an encryption algorithm works will only tell you that unless you already know part of the generated key you still can't break it if every supercomputer in the world was working on it until the heat death of the universe.

      You need to do your homework. In your example the cell phone can connect to the tower only because the network using the tower and the SIM card on your phone already possess the relevant keys. The transmission can only be decoded if the listener already possesses one half of the key in question.

      In brief, if your network is compromised, so is your encrypted communication. If not, then it isn't, no matter how much power and intelligence you throw at it.

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 23 Jun 2021 @ 11:00am

        Re: Re: Basic encryption?

        The bigger/harder the encryption, the more lag you will get in communication.
        Its a format to condense the Language and sounds down to let them use Less bandwidth. Just say its a ZIP FILE.
        Every time you add to it, 8bit, 16bit, 32bit, Wont matter if you want to get the Sound/voice back and forth in a hurry. You will cut any corner to make it sound Natural. NOT a delay in the middle, while your Phone de-scrambles, all the encoding.
        And the base of the encoding, is in the spec for 3g,4g. ANd if the phone cant make a Proper connection, it Should change its encoding, until it finds what works. Didnt say it was going to be easy, Just said its possible to do, esp. if you CONTROL the antenna.
        ANd if you think they didnt think about this, and MAYBE add this option. Then think about how RADIO signals work. You are using an Analog signal to create Digital transfers.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2021 @ 2:05pm

    Serious questioner

    "...back in the 1990s. Back then, the US government considered the export of strong encryption to be a criminal act."

    I do vaguely recall that a low bit encryption was allowed by civilians - whereas the US Govt forbade encryption at and above n- bits. I believed that to be because they had the computing power to break the weaker encryption and not the stronger (within a chosen time limit).

    Anybody have a link to the details of what I'm (partially) remembering?

    And how do we square this with the sky-will-fall guy feeling we all have that "intentional weakened encryption" (backdoors) will irreversibly ruin online life as we know it?

    I feel encryption (or trust in encryption) is needed for banking etc but I am not sure I can articulate why my feelings are the mathematically bulletproof truth.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.