An analysis of the GMR-1 and GMR-2 standards
Last Update: 4.6.2012, 15:32
Press coverage -- FAQ -- Contact -- Presentations -- Publications -- Source code
hgi

iseclab

Bochum, 8.2.2012

Satellite telephony is unsafe
RUB scientists break security standards
Encryption algorithms have security gaps

Satellite telephony was thought to be secure against eavesdropping. Researchers at the Horst Görtz Institute for IT-Security (HGI) at the Ruhr University Bochum (RUB) have cracked the encryption algorithms of the European Telecommunications Standards Institute (ETSI), which is used globally for satellite telephones, and revealed significant weaknesses. In less than an hour, and with simple equipment, they found the crypto key which is needed to intercept telephone conversations. Using open-source software and building on their previous research results, they were able to exploit the security weaknesses.

Telephoning via satellite

In some regions of the world standard cell phone communication is still not available. In war zones, developing countries and on the high seas, satellite phones are used instead. Here, the telephone is connected via radio directly to a satellite. This passes the incoming call to a station on the ground. From there, the call is fed into the public telephone network. So far this method, with the ETSI’s encryption algorithms A5-GMR-1 and A5-GMR-2, was considered secure.

Simple equipment – fast decryption

For their project, the interdisciplinary group of researchers from the areas of Embedded Security and System Security used commercially available equipment, and randomly selected two widely used satellite phones. A simple firmware update was then loaded from the provider’s website for each phone and the encryption mechanism reconstructed. Based on the analysis, the encryption of the GMR-1 standard demonstrated similarities to the one used in GSM, the most common mobile phone system. “Since the GSM cipher had already been cracked, we were able to adopt the method and use it for our attack”, explained Benedikt Driessen, of the Chair for Embedded Security (Prof. Paar) at the RUB. To verify the results in practice, the research group recorded their own satellite telephone conversations and developed a new attack based on the analysis. „We were surprised by the total lack of protection measures, which would have complicated our work drastically”, said Carsten Willems of the Chair for System Security (Prof. Holz) at the RUB.

Invasion of privacy

Encryption algorithms are implemented to protect the privacy of the user. “Our results show that the use of satellite phones harbours dangers and the current encryption algorithms are not sufficient”, emphasized Ralf Hund of the Chair for System Security at the RUB. There is, as yet, no alternative to the current standards. Since users cannot rely on their security against interception, similar to the security of standard cell phones, they will have to wait for the development of new technologies and standards, or make use of other means of communication for confidential calls.

Press coverage
Our work has received quite some attention by national and international press. Please click here for a non-representative selection of recent articles.
Frequently Asked Questions (top)
Q: Can you summarize your work?
A: Our work consists of two consecutive steps: (1) We have reconstructed the two proprietary encryption algorithms of the two major, civilian satellite phone standards GMR-1 and GMR-2. These algorithms are different for both standards and were kept secret. We have obtained them by analyzing the software running on actual satphones (Thuraya SO-2510, Inmarsat IsatPhone PRO). We have performed mathematical analysis and discovered serious weaknesses, which is documented here. (2) We have implemented a real-word attack on Thuraya (which relies on the GMR-1 standard) and were able to show that we can break the encryption within 30 minutes, as can be seen here.

Q: What is your motivation?
A: We believe that the closed-source nature of security aspects of communication technology is bad. On the one hand, this hinders public understanding of actual privacy guarantees. On the other hand, from the point of a system designer, exposing security mechanisms (such as a stream cipher) to a limited audience also limits the amount of scrutiny. By disclosing the weaknesses we have found, we hope to raise public awareness and discourage the "security-by-obscurity" principle.

Q: Which providers/systems are affected and how?
A: We have shown that we can decrypt communications secured according to the GMR-1 standard. As a proof-of-concept, we have intercepted our own downlink (i.e., data sent from the satellite) speech data in the Thuraya network. Please note, since the speech-codec for GMR-1 is currently unknown, we were not able to actually reproduce the conversation that took place. The providers TerreStar and SkyTerra are seemingly in the process of also implementing a system according to GMR-1. Inmarsat implements GMR-2+ (which seems to be a proprietary extension of the GMR-2 standard family), for which we have found a very efficient (but more theoretical) attack -- which has not been implemented yet.

Q: So, can you practically listen to a conversation?
A: No, we currently have a proof-of-concept system which requires some manual effort. We can decrypt the downlink for GMR-1 systems, given some encrypted speech data. Since the speech-codec is currently being reverse-engineered by OsmocomGMR, actually reproducing the conversation is not possible -- yet. However, the discovered weakness for GMR-1 also applies to non-voice data (SMS, fax-data, etc.) for which no codec is required.

Q: What equipment is required to eavesdrop on GMR-1?
A: To receive the downlink, a special antenna is required which can be built or bought. The antenna is connected to a USRP (programmable radio hardware) which itself is connected to a PC. A very nice description of the setup can be found here. On the PC, open-source software (GNURadio, OsmocomGMR) is responsible for capturing and demodulating speech data. The captured data is processed by an implementation of our GMR-1 attack.

Q: How to protect against eavesdropping?
A: The existing standard is unlikely to change, but there are already products offering an additional layer of encryption -- on top of the one provided by GMR-1 and GMR-2.

Q: The ETSI standards GSM, DECT, GMR, etc. all have been broken. What can be done to improve the overall situation?
A: There has already been a shift in the design and implementation process. For example, for the upcoming ETSI LTE standard (the successor to UMTS), central algorithms have been published and been available for over a year. The publication is accompanied by a series of workshops, which discuss recent findings and potential vulnerabilities. This is likely to guarantee a more involved evaluation, potentially leading to more secure standards and improved privacy.

Q: Did you inform anyone about your findings?
A: Yes, we have contacted and informed authorities well in advance.

Q: Can I get the source codes?
A: Yes, please see below.
Contact (top)
Benedikt Driessen
benedikt.driessen@rub.de

Chair for Embedded Security, Prof. Paar
Chair for Systems Security, Prof. Holz
Horst-Goertz Institute for IT Security
Ruhr-University Bochum, Germany
Presentations (top)
Don't Trust Satellite Phones
Presenter(s)
Benedikt Driessen, Ralf Hund
When & Where
2.2.2012, HGI Kolloquium, Ruhr-University Bochum

Download
Don't Trust Satellite Phones: A Security Analysis of two Satphone Standards
Presenter(s)
Benedikt Driessen
When & Where
21.5.2012, IEEE Security & Privacy, San Francisco, CA, USA

Download
Publications (top)
Don’t Trust Satellite Phones: A Security Analysis of Two Satphone Standards
Author(s)
Benedikt Driessen, Ralf Hund, Carsten Willems, Christof Paar, Thorsten Holz
Status
Accepted at IEEE Symposium on Security & Privacy 2012
Abstract
There is a rich body of work related to the security aspects of cellular mobile phones, in particular with respect to the GSM and UMTS systems. To the best of our knowledge, however, there has been no investigation of the security of satellite phones (abbr. satphones). Even though a niche market compared to the G2 and G3 mobile systems, there are several 100,000 satphone subscribers worldwide. Given the sensitive nature of some of their application domains (e.g., natural disaster areas or military campaigns), security plays a particularly important role for satphones.

In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for satphones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 ciphertext-only attacks to the GMR-1 algorithm with an average case complexity of 2³² steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50–65 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-of-the-art in symmetric cryptography.

Download
Eavesdropping on Satellite Telecommunication Systems
Author(s)
Benedikt Driessen
Status
Published on eprint.iacr.org as Draft, 8.2.2012
Abstract
While communication infrastructures rapidly intertwine with our daily lives, public understanding of underlying technologies and privacy implications is often limited by their closed-source nature. Lacking the funding and resources of corporations and the intelligence community, developing and expanding this understanding is a sometimes tedious, but nonetheless important process. In this sense, we document how we have decrypted our own communication in the Thuraya satellite network. We have used open-source software to build on recent work which reverse-engineered and cryptanalized both stream ciphers currently used in the competing satellite communication standards GMR-1 and GMR-2. To break Thuraya’s encryption (which implements the GMR-1 standard) in a real-world scenario, we have enhanced an existing ciphertext-only attack. We have used common and moderately expensive equipment to capture a live call session and executed the described attack. We show that, after computing less than an hour on regular PC-hardware, we were able to obtain the session key from a handful of speech data frames. This effectively allows decryption of the entire session, thus demonstrating that the Thuraya system (and probably also SkyTerra and TerreStar, who are currently implementing GMR-1) is weak at protecting privacy.

Download
Source code (top)
In this section we make available the reconstructed C-implementations of the encryption algorithms found on the Thuraya SO-2510 (A5-GMR-1) and the Inmarsat IsatPhone PRO (A5-GMR-2).

Please note that the respective hash-sums differ from previously posted hashes due to added headers, minor editorial revisions and compression.

SHA1: 79a8845f9897fc5f52320bf552dd9d95a27ab6ab, Download: a5-gmr-1.tar.gz

SHA1: 8193eb1393c81875308d69d6c16017d0ed09ff10, Download: a5-gmr-2.tar.gz