We have had backdoors in our smartphones for 20 years
Sometimes one gets the impression that the principal security threat to citizens comes from the state secret services. They are interested in hacking not from one website but all the internet traffic.
That is, they want to wiretap not a single individual but everyone at once. Security services have repeatedly tried to inject backdoors into public cryptography algorithms. Wiretapping of any random citizen in any country on any device is a Big Brother’s dream.
How can you bypass online surveillance and hacking? Protect your privacy with the Utopia P2P ecosystem – fully anonymous and decentralized.
A few years ago, it was revealed that the CIA had infiltrated the Swiss company Crypto AG, the world’s largest manufacturer of crypto equipment, a long time ago. Now the FSB is forcing Russian citizens to apply domestic cryptography, which is suspected of having a backdoor in the algorithm.
Another intriguing story is connected with GPRS encryption present in most phones, including Apple iPhone, Samsung Galaxy S9, Huawei P9 Lite, OnePlus 6T, and many others.
These mechanisms were predominant in the 1990s and 2000s. GEA-1 and GEA-2 were exploited for encrypting traffic on 2G. Nearly all modern smartphones still support these protocols to ensure backward compatibility.
On the eve of the Eurocrypt 2021 cryptographic conference, an international group of cryptographers from Germany, France, and Norway (a total of eight co-authors) prepared a report, “Cryptanalysis of the GEA-1 and GEA-2 algorithms in GPRS encryption.” It describes in detail an obvious vulnerability in the algorithms.
It should be emphasized again that the algorithms were proprietary or closed source. Until now, independent experts have not had the opportunity to study them.
Do you know the difference between open source and closed-course software? Explore the advantages and disadvantages of both.
Conservative academic researchers in their scientific work don’t say directly that this particular vulnerability was made on purpose – invented and implemented as a backdoor.
But it’s pretty obvious. Below you can see the quote by Matthew Green, Associate Professor of Cryptography at Johns Hopkins University:
Echoes of War
In the 90s, ciphers GEA-1 and GEA-2 executed internet traffic encryption. Cellular communications were considered an exotic application for encryption.
Also, strict rules for the export of cryptographic instruments existed for the United States. Forced weakening of cryptography exports became conventional practice during the Cold War; it continues even now for some countries.
The first version of SSL used RC4 cipher and 128-bit keys. However, in the 1990s, the U.S. government prohibited exporting systems using 128-bit keys. The longest key allowed was 40 bits. Consequently, Netscape developed several variants, and only the U.S. consumer version used a 128-bit key. This state of affairs continued until 1996, when Bill Clinton moved commercial encryption from the Arms List to the Trade Control List. And so, the crypto war ended.
The essence of the vulnerability
In this case, the researchers hypothesize that the encryption vulnerability is related to intentionally weakening to overcome export restrictions. That is, this is a kind of “echo of war” – from those times when cryptography was treated as a weapon.
In their article, the authors explain that, according to the design of the GEA-1 algorithm, there should be 64-bit. But the system design is so ingenious that only 40-bit encryption is possible in practice.
And most importantly, this system design is based on several parameters that were not an accident.
Someone might think that 2^64 and 2^40 don’t vary a lot. But in reality, it reduces the number of options for choosing a secret parameter by 16,777,216 times.
2 ^ 40 = 1099511627776
2 ^ 64 = 18446744073709551616
Scientists point out that they attempted to achieve a similar algorithm via reverse engineering. None of their attempts reproduced such weak encryption. This leads them to the fact that a backdoor to break the encryption was the actual reason for the low encryption level.
Because of the ineffective security during a possible attack, the intercepted traffic can be easily decrypted.
Who put in the backdoor?
Why was the backdoor necessary for decrypting GPRS mobile traffic? In those days, sites very rarely used SSL / TLS certificates. So, phones produced in the late 90s or early 2000s only exploited GEA-1 and GEA-2 integrated into GPRS to bypass wiretapping.
“Due to politics, a great number of people over the globe have been victims of weakened security for years,” the researchers write. In other words, governments of different countries, in their political interests, have jeopardized citizens’ safety.
The GEA-1 algorithm was developed in 1998 by the European Telecommunications Standards Institute (ETSI). As Bruce Schneier correctly noted, ETSI used to (and maybe still does) work under the auspices of SOGIS (Senior Officials Group, Information Systems Security) – the Group of senior officials for information systems security. These are mainly the intelligence services of the EU countries. Here is a list from the official site:
So what does it mean? Formally, ETSI fulfilled the export control requirements for cryptographic assets. But in reality, the European intelligence services seem to have taken advantage of American export laws to implement a convenient backdoor to decrypt mobile traffic.
The authors of the scientific work found out that in the new version of GEA-2 there is no such vulnerability. However, they were able to decrypt GEA-2 traffic with a more technically sophisticated attack and concluded that GEA-2 also “does not provide a high enough level of security by modern standards.”
Apparently, the GPRS backdoor is one of the last echoes of the Cold War and export restrictions of strong cryptography. Let’s hope that in the future such absurdities will become impossible, and politicians will stop using citizens as “hostages” in their games. However, the likelihood of such a scenario is not too high.
What is positive here is that GEA-1 and GEA-2 have been largely abandoned since cell phone vendors adopted the modern 3G and 4G standards. But there’s a huge “but” – although ETSI banned carriers from using GEA-1 in 2013, de facto GEA-1 and GEA-2 support remain in most modern phones, as GPRS is still used as a fallback by most countries and cellular networks.
Today, in the city center, you transmit data over 4G / LTE using the GEA-3 and GEA-4 encryption protocols. But mobile phones still support GEA-1. And there are scenarios when a smartphone can be forcibly switched to GEA-1 mode.
For example, a hacker can switch your smartphone to 2G / GPRS (GEA-1) mode through a telecom operator or a fake base station. The encryption algorithm will be broken.
This is not a hypothetical threat. Those fake base stations used by the intelligence services actually degrade the encryption of smartphones to the 2G / GPRS level. Since these compromised protocols are supported in most modern smartphones, the backdoor still works.
In chapter 5.3, the authors emphasize that all smartphones that support the outdated protocol are vulnerable. The authentication scheme is designed in such a way that traffic encrypted with a more modern cipher such as GEA-3 (highlighted below) can be decrypted through the GEA-1 exploit:
The backdoor in GSM is probably not the last “present” from the state. This particular vulnerability is an echo of the Cold War. But in reality, almost any society is forced to seek a compromise between freedom and security.
According to the logic of the special services, the more they spy on the people, the better security. Various means of cryptography, encryption and anonymity “prevent” them from working. Probably, as they see it, for complete safety, citizens should go online using their passport as identification, at the appointed time and according to the approved list of URLs.
Naturally, any vulnerabilities and backdoors left by the state are used by criminals, like corrupt officials among government workers and other criminal groups. Here the situation is no different from the situation with “personal data” – if a citizen entrusted confidential data to the state, it’s the same as publishing it in the public domain. We are gradually approaching the fact that in order to keep personal data secret, we will have to create several profiles, regularly changing digital identities.
Some researchers believe that the future of the internet lies in peer-to-peer mesh networks based on blockchain. Here each individual controls personal information within their “container,” delegating pieces of data and power to selected nodes to the necessary extent. Perhaps this will reduce the maximum level of authority that agents of nation states now possess.
If you are looking for a safe place where you can store and transfer data across the web, start using Utopia. It will protect you from data breaches and governmental surveillance.