Slashdot Mirror

← Back to Stories (view on slashdot.org)

Satellite Phone Encryption Cracked

Posted by Soulskill on from the our-fictional-military-characters-are-in-trouble dept.

New submitter The Mister Purple writes "A team of German researchers appears to have cracked the GMR-1 and GMR-2 encryption algorithms used by many (though not all) satellite phones. Anyone fancy putting a cluster together for a listening party? 'Mr. Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000. His demonstration system takes up to half an hour to decipher a call, but a more powerful computer would allow eavesdropping in real time, he said.'"

54 comments

  1. Now that the secret is out... by houstonbofh · · Score: 2

    Now that the secret is out, just buy a used one off eBay from the NSA.

    1. Re:Now that the secret is out... by Anonymous Coward · · Score: 0

      I'd bet the NSA already knew about it, and uses different/additional ciphers for their sat comms.

  2. sony's psn botnet by crutchy · · Score: 1, Insightful

    so they strung a few playstations together... PSN is really just a huge botnet that Sony uses to crack encryption of all sorts. How do you think they're going to sue (save) people that use SSH or VPN from illegally downloading pirated copies of "Not Another Teen Movie"?

    1. Re:sony's psn botnet by Anonymous Coward · · Score: 0

      Yeah, 'cause downloading bad movies is more fun with 9,6kbps over iRIDIUM....

    2. Re:sony's psn botnet by BiggerIsBetter · · Score: 3, Funny

      Yeah, 'cause downloading bad movies is more fun with 9,6kbps over iRIDIUM....

      It would probably be cheaper to make the movie than download it over iRIDIUM...

      --
      Forget thrust, drag, lift and weight. Airplanes fly because of money.
    3. Re:sony's psn botnet by crutchy · · Score: 1

      they probably paid the actors with red cordial for that movie

    4. Re:sony's psn botnet by Dynedain · · Score: 1

      PSN is really just a huge botnet that Sony uses to crack encryption of all sorts.

      Sony manufactured every device connected to PSN. They don't need a botnet as they have the proven manufacturing capability to build the hardware necessary.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    5. Re:sony's psn botnet by Anonymous Coward · · Score: 0

      But then they'd have to both eat the cost of production, and the cost of energy to run the units.

    6. Re:sony's psn botnet by crutchy · · Score: 2

      PSN is like SETI@HOME, except that rather than volunteering for a worthy cause, you pay for a corporation to take advantage of you

  3. Security through obscurity by munozdj · · Score: 5, Insightful

    These guys have once again proven that security through obscurity is not a sensible strategy. If the codes were published in due time, the flaw could have been found with enough time to allow for preventive measures to be deployed. (I know there are a lot of inferences in the sentence, but it seems plausible to me, taking into account what has happened with other algorithms (DES, anyone?))

    --
    Democracy: Crowdsourcing a country near you
    1. Re:Security through obscurity by saleenS281 · · Score: 4, Insightful

      You're assuming they want it truly secure. Reality is governments around the world want backdoors.

    2. Re:Security through obscurity by fauxhemian · · Score: 4, Interesting

      Truth: http://mediafilter.org/caq/cryptogate/

      --
      I've got news for Mr. Santayana: we're doomed to repeat the past no matter what. That's what it is to be alive.
    3. Re:Security through obscurity by Anonymous Coward · · Score: 1

      You're assuming they want it truly secure. Reality is governments around the world want backdoors.

      It also depends when the protocols were designed.

      Today compute is cheap, and so more complex encryption algorithms are generally a no-brainer. However, if you go back just a few years, running complex algorithms would have sucked power (i.e., battery) at an unacceptable rate. The engineering trade off was between security and power (and perhaps throw in bulk as well, depending on the chip sizes in the pre-SoC days).

      If one had a clean sheet design now, you'd probably go with AES and DH/RSA/elliptical curve, with SHA-2 for integrity. If a government wants to tap the phone they're able to quite easily do that via the wiretap infrastructure in place at landlines thanks to CALEA and other similar laws.

    4. Re:Security through obscurity by t4ng* · · Score: 1

      Since GMR is GSM adapted for satellite communications, I'm guessing that the fall of GMR was inevitable since GSM has been cracked.

    5. Re:Security through obscurity by slew · · Score: 4, Interesting

      (...taking into account what has happened with other algorithms (DES, anyone?))

      Not sure you really have a good example there. Apparently, the NSA helped IBM select the S-box for DES and didn't give any explaination for this. Contemporary cryptographers (e.g, Diffie and Hellman) were up-in-arms that the NSA was trying to put a backdoor into DES and questioned the secrecy of the development of the process. Little did they know that the NSA was just collaborating with IBM to avoid a potential weakness in the random S-boxes to be more robust against differential analysis attacks.

      Certainly as a general rule security through obscurity is not a great general strategy, however, DES probably isn't a good example to illustrate this since at the time, the NSA knew much more about breaking encryption than contemporary public cryptographers.

      To me, it's like you're a CPA/EA and letting your know-it-all teenager check over your tax return. Maybe they'd find some mistake or deduction that you didn't find, or maybe they will figure out how much money you make and want a raise in their allowance. It's a tradeoff for sure. But it isn't like taking your return to H&R Block and asking them to check it over. Maybe it's more like the H&R Block situation now, but with DES back in the 70's, it was sorta more like the teenager situation.

    6. Re:Security through obscurity by AHuxley · · Score: 2

      Re : "IBM to avoid a potential weakness in the random S-boxes"
      http://cryptome.org/nsa-v-all.htm "For this reason IBM developed Lucifer* with a key 128 bits long. But before it submitted the cipher to the NBS, it mysteriously broke off more than half the key."
      "As a result of closed-door negotiations with officials of the NSA, IBM agreed to reduce the size of its key from 128 bits to 56 bits. The company also agreed to classify certain details about their selection of the eight S-boxes for the cipher." *Lucifer was first sold as a cash-dispensing system.

      --
      Domestic spying is now "Benign Information Gathering"
    7. Re:Security through obscurity by Anonymous Coward · · Score: 0

      This.

      I dunno why all you arm-chair cryptographers and web-dev computer "scientists" are harping on this story. GMR is just a GSM variant. Nothing really cryptographically fascinating to see here, just an awesome proof of concept based on the 2008/2009 GSM research.

    8. Re:Security through obscurity by hairyfeet · · Score: 4, Insightful

      While i'm sure that is true to a point, everyone seems to forget just how fricking fast we jumped on computing power. When i first started toying with computers in the early 80s we measured memory in bytes and the multimillion dollar supercomputers had less computing power than that $8 calculator at Fred's. In just 30 years we went from computers measured in single digit MHz cost nearly as much as a car to being able to build a DIY PC for $1000 that could run every single major OS of the last 20 years at the same time. Hell just look at the beginning of this century, where we had just broken the GHz barrier and having 512Mb of RAM meant you had some cash to blow. Who would have thought then that just 12 years later we'd be looking at machines with dozens of CPUs and huge pools of RAM and hundreds of specialized graphical cores we could run our own code on?

      The sat phone system IIRC was designed in the mid 80s and put up in the early 90s correct? i can see them simply not seeing the huge leaps that we would make nor would the tech of the time have been able to process crypto hard enough not to be at risk from these modern monsters. If we keep leaping ahead with regards to computing power as we have been these past 15 years I don't even want to think about how big and complex an encryption system you'll need to protect yourself from what the average geek will have sitting on his desk in 2030.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    9. Re:Security through obscurity by Anonymous Coward · · Score: 0

      95% of slashdot reader's technical knowledge stops at being able to compile EMACS from source. That's why whenever any actually technical article pops up the comments section is full of misinformation, assorted anti-government paranoia, and 15 year old memes (LOL NETCRAFT CONFIRMED IT).

    10. Re:Security through obscurity by Anonymous Coward · · Score: 0

      The thing is, cell phone and satellite phone encryption is not end to end - it's just from the phone to the ground station on the other end of the satellite. Governments can use the same lawful intercept laws at that point in the network as they do on terrestrial networks.

      While encryption is important for the over the air portion to protect against snoopers, governments have access to the unencrypted signal when it hits the ground. So it doesn't much matter to them how strong the encryption is.

    11. Re:Security through obscurity by sudonim2 · · Score: 1

      Iridium sats operate @200MHz. My, nearly obsolete, cell phone is 2.5x as powerful as an Iridium satelite. That's why microsatelites are the future. They're cheap enough to send dozens up at once, which allows you to update the network more easily.

    12. Re:Security through obscurity by hairyfeet · · Score: 1

      Geez I've honestly thrown away computers 5 times that powerful because they were so wimpy i couldn't think of anything to do with them. i don't think the future is the microsat simply because smaller equals easier broken and with all the space junk we got whizzing around up there something the size of a pebble at that speed could fuck your microsat all to hell and add yet more debris.

      No I think the answer will be that space tug idea we saw the other day and then doing like we would here on earth and simply changing out the guts. That way you could have the high powered antenna while still having an easily upgraded system. if the space tug gets built i could easily envision the ISS becoming a space garage, with the tug pulling all kinds of commercial and scientific sats in for repairs and upgrades. In the end this would probably be cheaper than the microsats simply because of all the replacements you'd have to do, both to failures and to damage. this way you could build some really powerful sats with simple "plug and play" style insides that could be swapped out with new chips and new capabilities. And on the plus side this would also allow us to get huge amounts of time out of sats that are simply too expensive to easily toss like Hubble. A win/win IMHO.

      --
      ACs don't waste your time replying, your posts are never seen by me.
  4. Wiretapping by evil_aaronm · · Score: 1

    I'm sure this violates some wiretapping laws - but how are "they" going to find out? No matter: the equipment and means to crack these calls will be outlawed, because only outlaws will have them.

    1. Re:Wiretapping by webmistressrachel · · Score: 1

      So next they will outlaw satellite dishes and computer clusters? How is Joe Sixpack going to watch Fox 'news' now?

      --
      This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
  5. Forget the cluster by SpazmodeusG · · Score: 1

    Just record all the transmitted data and you can decrypt in half an hour. The cluster will just let you listen sooner but it's unnecessary.

    (i am assuming it doesn't do frequency hopping since it's working in a narrow satellite band).

  6. Redundant stupidisms in written English by Anonymous Coward · · Score: 0, Insightful

    I'm so sick of reading gibberish like this:

    "many (though not all)".

    Is there a variety of "many" that doesn't mean "not all"?

    1. Re:Redundant stupidisms in written English by Abreu · · Score: 1, Offtopic

      It is almost, but not entirely unlike proper grammar.

      --
      No sig for the moment.
    2. Re:Redundant stupidisms in written English by somersault · · Score: 1, Insightful

      Is there a variety of "many" that doesn't mean "not all"?

      Yes. It's called "many". It means "a large number". You could say for example "Many humans live in the Solar system", even though none have ever lived outside of it.

      --
      which is totally what she said
    3. Re:Redundant stupidisms in written English by Grishnakh · · Score: 0

      Not that you know of, anyway.

    4. Re:Redundant stupidisms in written English by tsotha · · Score: 0

      I always translate that as "there's a number involved here, but we have no idea what it could be".

    5. Re:Redundant stupidisms in written English by Anonymous Coward · · Score: 0

      Actually, we do. Any lifeforms that developed outside of our solar system would not be the same species, by definition. So yeah, all humans live here.

    6. Re:Redundant stupidisms in written English by gottspeed · · Score: 1

      The genome landed on earth from somewhere else originally so its not a bad assumption that there are humans elsewhere too. Perhaps slightly different ones but humans none-the-less.

    7. Re:Redundant stupidisms in written English by Grishnakh · · Score: 1

      You don't know that. For all we know, some more-developed race, seeing the Native Americans were going to be wiped out by European settlers, grabbed a bunch of them and planted them on another planet to develop on their own and live in peace, and they're still out there.
      http://en.memory-alpha.org/wiki/The_Paradise_Syndrome_(episode)

      Obviously not very likely, but nevertheless, always a possibility. So it is possible, however ridiculously remote, that there's humans, developed on Earth, who are living outside the solar system.

    8. Re:Redundant stupidisms in written English by somersault · · Score: 1

      Does this mean you classify every other form of life on Earth as "human" too? WTF.

      And why do you talk as if Panspermia has been proven?

      --
      which is totally what she said
  7. Is sensible encryption really that hard? by mark-t · · Score: 5, Insightful

    Is it really so hard to use an encrypted key exchange, such as DHKE, to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?

    Such key exchanges practically scream "USE ME" for situations like encrypting anything being transmitted over the air, such as cell phone usage.

    Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM, at least not until somebody develops an other efficient algorithm to solve the discrete log problem, or unless they had a quantum computer on the job that is more powerful than any ever yet built,

    --
    File under 'M' for 'Manic ranting'
    1. Re:Is sensible encryption really that hard? by mcrbids · · Score: 1

      Of course, it also means that the police wouldn't be able to listen in either without setting up a fake cell phone tower to be a MitM

      I don't get it. Somehow, you seem to have missed that one of the main points of a key exchange is to protect you from a MITM attack? See: Certificates, how do they work? You even said: "to establish a completely private connection on something that you are broadcasting, and do not know who might be listening in?"...

      Well, if they could do a MITM, wouldn't they be listening in?

      (cough)

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
    2. Re:Is sensible encryption really that hard? by slew · · Score: 4, Informative

      The problem wasn't really the key exchange (which is also problematic as it uses the A3 authentication technique similar to SIM), but the actual cipher itself was weak.

      As an example, you could use DHKE to exchange keys, but if you cipher is E(data) = ROT13(data^key), you have a problem.

      Of course they didn't use that poor a cipher, but the cipher they did use was running in software on a dsp, so it had to be simple, so for GMR-1, they chose to XOR the data with a jittered LFSR (similar to GSM encryption). The techniques used to break GSM encryption apparently work great for GMR as well. I don't yet know many details about GMR-2, but it appears to have different weaknesses than GMR-1 (something related to being based on 8-bit math and incomplete key-data mixing).

      However, yet they could have done better, but they probably just wanted something that could run on a low-power DSP that already existed on the phone.

    3. Re:Is sensible encryption really that hard? by mark-t · · Score: 2

      You can't readily be an MitM for OTA broadcasts though, unless relays are involved, and you can guarantee to be able to fake one of the relays.

      --
      File under 'M' for 'Manic ranting'
    4. Re:Is sensible encryption really that hard? by mark-t · · Score: 1

      More probable is that they would use an RSA-based key exchange, which cannot ever be solved in polynomial time (because you never see either party's key in the transmission)

      --
      File under 'M' for 'Manic ranting'
    5. Re:Is sensible encryption really that hard? by mark-t · · Score: 2

      Oh, also, the purpose of a key exchange is *NOT* to protect you from an MitM. The purpose of a key exchange is to protect you from eavesdropping, since with a key exchange no unencrypted data *EVER* appears on the wire or in the broadcast. With an MitM, that wouldn't matter, since an MitM could intercept the communication and pretend to abide by the key exchange protocol for both sides, using the opportunity to actually acquire the encryption sequence that is to be used for the remainder of the transmission. You can't do that if you're only eavesdropping, because you're not actually sending any counterfeit data into the system.

      --
      File under 'M' for 'Manic ranting'
    6. Re:Is sensible encryption really that hard? by tlhIngan · · Score: 2

      Of course they didn't use that poor a cipher, but the cipher they did use was running in software on a dsp, so it had to be simple, so for GMR-1, they chose to XOR the data with a jittered LFSR (similar to GSM encryption). The techniques used to break GSM encryption apparently work great for GMR as well. I don't yet know many details about GMR-2, but it appears to have different weaknesses than GMR-1 (something related to being based on 8-bit math and incomplete key-data mixing).

      Well, here are the problems.

      First, the equipment and standards were designed in the 1990's with 1990's level embedded processors (think 386 and lower). You had a battery that had to last a pretty decent time because a lot of people carry satphones for emergency use (hikers, pilots, sailors, etc), so your processor has to basically be a fleapower one. This is especially considering the satellite is far away and you have to use a fair bit of power to reach it, which means a lot of battery power and less power for the electronics.

      Oh yeah, the final bitstream is probably operating at 9600bps, and your encryption routine must work in real time on the embedded processor. This was also before dedicated cryptographic processors and accellerator hardware were readily available in embedded processors. So you must do it in software whilst handling all the other tasks at the same time.

      GSM has the same problem. These algorithms were designed for computational efficiency and simplicity more than absolute protection. Reason being that once the call is over, it's over. The key won't be used again, the location of the phone is moving so people can't really capture long stretches of signal, etc.

      For a satphone, receiving one end is easy due to the large footprint compared to a cellphone.

    7. Re:Is sensible encryption really that hard? by emj · · Score: 1

      Basically
      * key exchange -> you need to be a man in the middle for every call.
      * public key/private key -> you just need to listen to the traffic, and decrypt it with keys acquire before or after listening.

    8. Re:Is sensible encryption really that hard? by Electricity+Likes+Me · · Score: 1

      I don't know what point you think you're making here.

      In the digital age, being a MitM for [i]every[/i] conversation of interest is very easy - if you can do it once, you can do it pretty much ad nauseum. The whole point of encryption is the fundamental recognition that modern communications let's just about anybody listen in, at any time, without too much trouble.

    9. Re:Is sensible encryption really that hard? by mark-t · · Score: 1

      How do be a MitM on a radio transmission?

      --
      File under 'M' for 'Manic ranting'
  8. EVERY PHONES ARE EVIL, ZIONIC. by Anonymous Coward · · Score: 0

    I never had bought a phone, jokely (i did abandon it due to its useless).

    Problem solved, period.

    JCPM: don't let to your child to buy a phonezionic. Why were the govt's laws forcing you to reveal your personal data from your phone? It's the trap.

  9. Doesn't Matter by zulux · · Score: 5, Informative

    The original Motorola Iridium satellite phone has a NSA high-encryption pack available for it that fits in the back - this model with the DOD pack or a a more modern Iridium phone with another type of sleeve that I've never seen myself, is how secure communication is done over the Iridium network.

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  10. Forget that by Anonymous Coward · · Score: 0

    Can we use the technology to make a free cell phone? It seems so silly that we have to pay so much to use these devices.

    1. Re:Forget that by OrangeTide · · Score: 2

      yea total rip off. Paying for a network that scales by about $5m for every 1000 concurrent callers you wish to add to your network should be free.

      --
      “Common sense is not so common.” — Voltaire
  11. Not surprising. by Z00L00K · · Score: 1

    The encryption is a trade-off between performance and security. And you don't want too much lag caused by the encryption so that means it has to be relatively simple.

    And what this does is to allow the average person to eavesdrop on satellite calls in his/her area. It's something that at least some governments already have done for years. Or what do you think that Echelon has been doing all these years?

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  12. Not exactly by stooo · · Score: 3, Informative

    As sat spectrum is severely limited, GMR transmits nearly no frames with (unused) fixed plain text.
    So deciphering it using known plaintext is more difficult than for GSM.

    So Yeah, it took them one month since that :
    http://events.ccc.de/congress/2011/Fahrplan/events/4688.en.html

    video :
    http://28c3.mirror.speedpartner.de/CCC/28C3/mp4-h264-LQ/28c3-4688-en-introducing_osmo_gmr_h264-iprod.mp4
    http://28c3.mirror.speedpartner.de/CCC/28C3/mp4-h264-LQ/28c3-4688-en-introducing_osmo_gmr_h264-iprod.mp4.torrent

    --
    aaaaaaa
  13. ohm2013.org idea? by anonieuweling · · Score: 1

    What about setting up a project to do offer live listening to sat phone feeds at ohm2013.org?

  14. He told it to WHAT? by Anonymous Coward · · Score: 0

    Mr. Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000.

    Wait, he figured out a new way to tap phone calls, and he told a British newspaper?! Oh, well done, sir.

    (All right, the Telegraph is a long way from News of the World, but still...)