Slashdot Mirror
New Attack Can Now Decrypt Satellite Phone Calls in 'Real Time' (zdnet.com)
Chinese researchers have discovered a way to rapidly decrypt satellite phone communications -- within a fraction of a second in some cases. From a report on ZDNet: The paper, published this week, expands on previous research by German academics in 2012 by rapidly speeding up the attack and showing that the encryption used in popular Inmarsat satellite phones can be cracked in "real time." Satellite phones are used by those in desolate environments, including high altitudes and at sea, where traditional cell service isn't available. Modern satellite phones encrypt voice traffic to prevent eavesdropping. It's that modern GMR-2 algorithm that was the focus of the research, given that it's used in most satellite phones today. The researchers tried "to reverse the encryption procedure to deduce the encryption-key from the output keystream directly," rather than using the German researchers' method of recovering an encryption key using a known-plaintext attack. Using their proposed inversion attack thousands of time on a 3.3GHz satellite stream, the researchers were able to reduce the search space for the 64-bit encryption key, effectively making the decryption key easier to find. The end result was that encrypted data could be cracked in a fraction of a second.
I'll be the satellites see updates more often than some Android phones sold in the last year.
If this is what Chinese academics are publishing now, I wonder how long this has been possible in less-publicized circles.
Everybody knows that certain governments buy up crypto expertise as soon as the ink on the PhD dries. Or sooner, in some cases.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Some variant of Diffie-Helman key exchange would probably do quite nicely... MitM attacks are typically considered the biggest weakness of DHKE, but with wireless communication, there's no opportunity for a man in the middle attack.
It may involve a firmware update, but it still seems doable.
Of course, if somebody installs some malicious software on the satellite, then snooping via MitM attack becomes possible that way.... Ideally, the people that run the satellite have secured it against such intrusion, and that they themselves will not install such software at any time in the future.
File under 'M' for 'Manic ranting'
I seriously doubt doing updates to the phones is a problem at all, I'll bet they push updates all the time. Satellites are routinely updated and I'm guessing is not a serious problem.
What really will be the problem is the common encryption problem of key distribution... Unless you can hide the keys from disclosure, your goose is cooked...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Not really.
I'm sure the satellites are constantly being updated for one reason or another. If your $20 tablet gets firmware updates, you can be sure a multi-million-dollar satellite used for worldwide communication does too. Just of a higher quality.
Phones might be trickier, but not because of firmware, because they may just not have the oomph to encrypt things betters in real-time.
To be honest, anyone using them and expecting a real sense of security (because, after all, the satellite company and any number of ground stations, repeaters, and the PSTN endpoint could listen in all they like) should have been wrapping their comms with their own encryption before sending it to a satellite.
People will eventually learn - use a transport stream that's potentially vulnerable, assume that's the case anyway, and then put upgradeable encryption on the endpoints under your own control that's nothing to do with the people supplying the transport stream.
I always used to VPN over my own wireless network, back in the early days of WEP, WPA, etc. It paid dividends in giving me security, layering, time to upgrade, the ability to change intermediate equipment without affecting the entire setup, etc. And there was basically zero downside, I used to game CS over that VPN and it added less than 1ms even with old ropey computers acting as the VPN server.
Trust. And then encrypt your own traffic anyway. Whether it's wireless, point-to-point, satellite, WhatsApp or anything else.
I can assure you that satellites are well secured. Usually they have multiple out of band (i.e. on a separate frequency, and even a separate set of radios) RF administrative channels which are well encrypted and secured using multiple means. These channels are both time locked (i.e. only active at planned times) and require signing of each data packet and then require detailed knowledge of the communications protocol to actually do anything to the satellite. They are assets which are too valuable to just throw up there unprotected...
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Why would you need to update the satellite? Typically, a satellite just relays traffic between a ground station and a particular device. It shouldn't need to understand the traffic, so all the encryption should be handled by the ground station on the other end of the satellite hop.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I wasn't suggesting that they weren't... but I felt I should acknowledge the point as a at least a theoretical vulnerability.
File under 'M' for 'Manic ranting'
It's not that expensive to own and use a satellite phone. If you can buy new iPhone every year - then you can definitely afford a probably cheaper SAT phone (too).
The big geosync ones are just active retransmitters of radio spectrum. Even the switched ones have no
reason to decrypt the audio. A phone update for a more agile key might do the trick.
Some variant of Diffie-Helman key exchange would probably do quite nicely...
Sorry, no. The attack described is on the GMR-2 stream cipher itself, not the key exchange. Because of a weakness in the key schedule of the cipher, and the underlying structure of the encrypted data frame related to the key schedule, they can actually recover the key directly from they encrypted data frame ignoring the session key exchange entirely.
The fact that they are using some crappy secret stream cipher to sat-phones is a testament to how little research has gone into good stream ciphers (vs creating block ciphers like AES). Although we also shouldn't be too smug about AES either. In a similar vein, a weakness in AES block cipher key schedule was not detected until many years later made AES-256 less secure than its 2^256 key-space would indicate (in fact because of this weakness, AES-256 may be even less secure than AES-192). And AES is/was a heavily researched block cipher, not a "secret" satellite phone cipher.
For the most part, satellites in geosynchronous orbit (such as those used by Inmarsat) are generally bent-pipe designs, rather than carrying the equipment for onboard signal processing.
Demodulating, decrypting, processing, and remodulating the signal on board requires the relevant electronics to do so. This means that you're putting sensitive, power hungry electronics in a high radiation environment, where it's difficult to dissipate heat, your power supply is limited, and it's impossible to service if something goes wrong. It also generally means you're beholden to a specific technology for 15+ years.
Instead, the most common design is to follow the KISS principle for the satellite; it dumbly repeats whatever radio signal it receives, and put all the intelligence on the ground. In the literature I can find on the Inmarsat Satellites, they appear to be of the bent-pipe variety.
Now, even though the head end of the satellite phone is on the ground (and the satellite is a passive relay) that doesn't mean that it's necessarily easy to swap out ciphers for the phone portion of the system. It's quite likely that the system is baked into the silicon on the ground stations, and pushing out a firmware update for old systems is going to be quite difficult, especially because inmarsat is often considered to be a life-critical service. The amount of paperwork involved would be extreme, never mind the testing and so forth if it was even possible.
On the flip side, given the audience for this system, I'd wager that the vast majority of what you would hear would be mariners on the phone to their loved ones in the Philippines, yakking away in Tagalog.
...si hoc legere nimium eruditionis habes...
I seriously doubt doing updates to the phones is a problem at all, I'll bet they push updates all the time. Satellites are routinely updated and I'm guessing is not a serious problem.
For the Inmarsat service, it's likely to be very difficult, if not impossible. Inmarsat is generally considered a life-critical system for communications with ships at sea. The ground terminals used on the ships are based on designs that are on average probably at least a decade old, which means that the cipher and associated bits are most likely baked into the silicon, making it impossible to update. Forcing a global fleet-wide replacement is about as easy as calling an Internet flag-day and switching everyone to IPv6. It ain't going to happen.
Inmarsat-B finally shut down in December 2016, at least a decade after the last terminal supporting it was sold.
...si hoc legere nimium eruditionis habes...
In this case, the Satiates are doing a bit more than just relaying data to a ground station, but they are acting more like cell towers, handing a call from one satellite to another as they move in low earth orbit. Also, the "ground station" may not be in view at all times, so they use the satellites to relay the call to one that has a ground station in view.
Now I'm not saying that the satellite treats the audio stream as anything more than packets of data, but the signaling portion IS important....
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
They're using that because the technology was developed 15 to 20 years ago. In the world of satellite communications technology moves a lot slower than it does for the rest of the industry. It's also very difficult to change the technology once its deployed.
The stream cipher used was most likely chosen because it provided sufficient security for their needs (basically privacy rather than real security), and was easy to implement in the hardware that was available when the service was being developed.
...si hoc legere nimium eruditionis habes...
Still... I'm not inclined to believe that Immarsat shipped "baked in" encryption technology based on implementation in silicon. What MIGHT be an issue is having the horsepower necessary to use a less easily broken encryption algorithm or longer key baked into the phone.
We've been shipping firmware driven DSP equipment since the advent of digital cell phone technology, which has been available for 25+ years and standard for the at least 20. Unless Immarsat was building their stuff based on the dark ages of technology, they will be able to update software. They may not have the processing power to encrypt with the latest technology, but I'm sure they can field new firmware and fix the problem if their hardware has enough performance..
I'm sure they can support multiple encryption technologies at the ground stations pretty quickly, then if you don't care that Chia can listen in you can use the old equipment, or if you want a measure of privacy you can upgrade. So I doubt this is a huge issue for anybody.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
They were most likely working in the "Dark Ages" because that's pretty much how the whole industry works. When I left the industry in 2013, companies were just discovering that IPv4 was still a thing, but even then they were generally handling it by pumping it through HDLC over satellite. I'd wager that 90+% of non-television satcom is completely unencrypted, with the exception of whatever crypto people run over it (https, VPN, whatever). One of the big challenges with dealing with Cryptography, even 3DES (never mind AES, or whatever else), is that if it's in the hardware or even in the firmware, you start dealing with ITAR and all that bullshit.
For the satellite network I still operate, which were finally discontinued last year, the only cryptographic option would be to run 3DES, with static keys, and if and only if you bought the cryptographic version, which required you to sign an end user statement, and then you need to have special firmware that you have to request personally etc... The regulatory environment is a right total pain in the butt, but that's the way it is.
...si hoc legere nimium eruditionis habes...
But... nobody uses GSM any more? 3G, 4G, LTE, etc. all use encryption that is not currently broken.