Researchers at a German university have broken the encryption of the two main standards used to protect calls from satellite phones, giving them the ability to intercept conversations that are meant to be private. The attacks on the GMR-1 and GMR-2 standards are thought to be the first such work against the satellite phone ciphers.
A group of researchers at the Ruhr University Bochum just published a paper that describes their work, and say that although they were able to intercept the downlink from a satellite to the ground station and break the ciphers used to protect the communication, they could not actually reproduce the conversation. The researchers built their own antenna and did not have an actual satellite phone to use in their research. They began by downloading a firmware update, which gave them a starting point for finding the portion of the code that includes the cipher.
It turned out that the ciphers used in the satellite phone communications are quite similar to the A5/1 and A5/2 GSM ciphers, both of which have been cracked in recent years. The Ruhr University team was able to extend a known attack on GSM as part of its work and also developed a new attack. The end result is that they were able to break the security of both of the ciphers used in satellite phone communications, and the researchers said that their work could have been complicated by some simple mechanisms.
“Even though it is impossible for outsiders (like us) to decide whether this is due to historic developments or because secret algorithms were believed to provide a higher level of “security”, the findings of our work are not encouraging from a security point of view. GMR-1 relies on a variant of the GSM cipher A5/2, for which serious weakness have been demonstrated for more than a decade. The GMR-2 cipher, which appears to be an entirely new stream cipher, shows even more serious cryptographic weaknesses. In the case of GMR-1, an attacker can mount a successful ciphertext-only attack. With respect to the GMR-2 cipher, in a known-plaintext setting where approximately 50–65 bytes plaintext are known to the attacker, it is possible to recover a session key with
a moderate computational complexity, allowing the attack to be easily performed with a current PC. Both algorithms are cryptographically dramatically weaker than would be possible with state-of-the-art ciphers, e.g., AES,” the researchers said in their paper, “Don’t Trust Satellite Phones: A Security Analysis of Two Satphone Standards”.
Following their work, the researchers recommend that users think twice before using satellite phones for private conversations.
“Our results show that the use of satellite phones harbours dangers and the current encryption algorithms are not sufficient”, said Ralf Hund, the Chair for System Security at the Ruhr University Bochum.
Both the A5/1 and A5/2 GSM ciphers were cracked by researchers about two years ago.