telephony is unsafe
scientists break security standards
algorithms have security gaps
Satellite telephony was thought to be secure
against eavesdropping. Researchers at the
Horst Görtz Institute for IT-Security (HGI)
at the Ruhr University Bochum (RUB) have
cracked the encryption algorithms of the
European Telecommunications Standards
Institute (ETSI), which is used globally for
satellite telephones, and revealed
significant weaknesses. In less than an
hour, and with simple equipment, they found
the crypto key which is needed to intercept
telephone conversations. Using open-source
software and building on their previous
research results, they were able to exploit
the security weaknesses.
Telephoning via satellite
In some regions of the world standard cell
phone communication is still not available.
In war zones, developing countries and on
the high seas, satellite phones are used
instead. Here, the telephone is connected
via radio directly to a satellite. This
passes the incoming call to a station on the
ground. From there, the call is fed into the
public telephone network. So far this
method, with the ETSI’s encryption
algorithms A5-GMR-1 and A5-GMR-2, was
Simple equipment – fast decryption
For their project, the
interdisciplinary group of researchers from
the areas of Embedded Security and System
Security used commercially available
equipment, and randomly selected two widely
used satellite phones. A simple firmware
update was then loaded from the provider’s
website for each phone and the encryption
mechanism reconstructed. Based on the
analysis, the encryption of the GMR-1
standard demonstrated similarities to the
one used in GSM, the most common mobile
phone system. “Since the GSM cipher had
already been cracked, we were able to adopt
the method and use it for our attack”,
explained Benedikt Driessen, of the Chair
for Embedded Security (Prof. Paar) at the
RUB. To verify the results in practice, the
research group recorded their own satellite
telephone conversations and developed a new
attack based on the analysis. „We were
surprised by the total lack of protection
measures, which would have complicated our
work drastically”, said Carsten Willems of
the Chair for System Security (Prof. Holz)
at the RUB.
Invasion of privacy
Encryption algorithms are implemented to
protect the privacy of the user. “Our
results show that the use of satellite
phones harbours dangers and the current
encryption algorithms are not sufficient”,
emphasized Ralf Hund of the Chair for System
Security at the RUB. There is, as yet, no
alternative to the current standards. Since
users cannot rely on their security against
interception, similar to the security of
standard cell phones, they will have to wait
for the development of new technologies and
standards, or make use of other means of
communication for confidential calls.
|Our work has received quite some attention by national and
international press. Please click here for a non-representative
selection of recent articles.
|Frequently Asked Questions
Can you summarize your
A: Our work consists
of two consecutive steps: (1)
We have reconstructed the two proprietary encryption
algorithms of the two major, civilian satellite phone
standards GMR-1 and GMR-2. These algorithms are different
for both standards and were kept secret. We have obtained
them by analyzing the software running on actual satphones
(Thuraya SO-2510, Inmarsat IsatPhone PRO). We have performed
mathematical analysis and discovered serious weaknesses,
which is documented here. (2) We have implemented a
real-word attack on Thuraya (which relies on the GMR-1
standard) and were able to show that we can break the
encryption within 30 minutes, as can be seen here.
What is your motivation?
A: We believe that
the closed-source nature of security aspects of
communication technology is bad. On the one hand, this
hinders public understanding of actual privacy guarantees.
On the other hand, from the point of a system designer,
exposing security mechanisms (such as a stream cipher) to a
limited audience also limits the amount of scrutiny. By
disclosing the weaknesses we have found, we hope to raise
public awareness and discourage the "security-by-obscurity"
providers/systems are affected and how?
A: We have shown
that we can decrypt communications secured according to the
GMR-1 standard. As a proof-of-concept, we have intercepted
our own downlink (i.e., data sent from the satellite) speech
data in the Thuraya network. Please note, since the
speech-codec for GMR-1 is currently unknown, we were not
able to actually reproduce the conversation that took place.
The providers TerreStar and SkyTerra are seemingly in the
process of also implementing a system according to GMR-1.
Inmarsat implements GMR-2+ (which seems to be a proprietary
extension of the GMR-2 standard family), for which we have
found a very efficient (but more theoretical) attack --
which has not been implemented yet.
can you practically listen to a conversation?
A: No, we currently
have a proof-of-concept system which requires some manual
effort. We can decrypt the downlink for GMR-1 systems, given
some encrypted speech data. Since the speech-codec is
currently being reverse-engineered by OsmocomGMR, actually
reproducing the conversation is not possible -- yet.
However, the discovered weakness for GMR-1 also applies to
non-voice data (SMS, fax-data, etc.) for which no codec is
equipment is required to eavesdrop on GMR-1?
A: To receive the
downlink, a special antenna is required which can be built
or bought. The antenna is connected to a USRP (programmable
radio hardware) which itself is connected to a PC. A very
nice description of the setup can be found here.
On the PC, open-source software (GNURadio,
is responsible for capturing and demodulating speech data.
The captured data is processed by an implementation of our
How to protect against eavesdropping?
A: The existing
standard is unlikely to change, but there are already
products offering an additional layer of encryption -- on
top of the one provided by GMR-1 and GMR-2.
The ETSI standards GSM, DECT, GMR, etc. all have been
broken. What can be done to improve the overall situation?
A: There has already
been a shift in the design and implementation process. For
example, for the upcoming ETSI LTE standard (the successor
to UMTS), central algorithms have been published and been
available for over a year. The publication is accompanied by
a series of workshops, which discuss recent findings and
potential vulnerabilities. This is likely to guarantee a
more involved evaluation, potentially leading to more secure
standards and improved privacy.
you inform anyone about your findings?
A: Yes, we have
contacted and informed authorities well in advance.
Can I get the source codes?
A: Yes, please see below.
Chair for Embedded Security, Prof.
Chair for Systems Security, Prof.
Horst-Goertz Institute for IT Security
Ruhr-University Bochum, Germany
Trust Satellite Phones
|Benedikt Driessen, Ralf Hund
|When & Where
|2.2.2012, HGI Kolloquium, Ruhr-University Bochum
Trust Satellite Phones: A Security Analysis of two Satphone Standards
|When & Where
|21.5.2012, IEEE Security & Privacy, San Francisco, CA, USA
| Publications (top)
Trust Satellite Phones: A Security Analysis of Two
|Benedikt Driessen, Ralf Hund, Carsten Willems,
Christof Paar, Thorsten Holz
|Accepted at IEEE Symposium on
Security & Privacy 2012
|There is a rich body of work related to the
security aspects of cellular mobile phones, in
particular with respect to the GSM and UMTS systems.
To the best of our knowledge, however, there has
been no investigation of the security of satellite
phones (abbr. satphones). Even though a niche market
compared to the G2 and G3 mobile systems, there are
several 100,000 satphone subscribers worldwide.
Given the sensitive nature of some of their
application domains (e.g., natural disaster areas or
military campaigns), security plays a particularly
important role for satphones.
In this paper, we analyze the encryption systems
used in the two existing (and competing) satphone
standards, GMR-1 and GMR-2. The first main
contribution is that we were able to completely
reverse engineer the encryption algorithms employed.
Both ciphers had not been publicly known previously.
We describe the details of the recovery of the two
algorithms from freely available DSP-firmware
updates for satphones, which included the
development of a custom disassembler and tools to
analyze the code, and extending prior work on binary
analysis to efficiently identify cryptographic code.
We note that these steps had to be repeated for both
systems, because the available binaries were from
two entirely different DSP processors. Perhaps
somewhat surprisingly, we found that the GMR-1
cipher can be considered a proprietary variant of
the GSM A5/2 algorithm, whereas the GMR-2 cipher is
an entirely new design. The second main contribution
lies in the cryptanalysis of the two proprietary
stream ciphers. We were able to adopt known A5/2
ciphertext-only attacks to the GMR-1 algorithm with
an average case complexity of 2³² steps. With
respect to the GMR-2 cipher, we developed a new
attack which is powerful in a known-plaintext
setting. In this situation, the encryption key for
one session, i.e., one phone call, can be recovered
with approximately 50–65 bytes of key stream and a
moderate computational complexity. A major finding
of our work is that the stream ciphers of the two
existing satellite phone systems are considerably
weaker than what is state-of-the-art in symmetric
on Satellite Telecommunication Systems
|Published on eprint.iacr.org
|While communication infrastructures rapidly
intertwine with our daily lives, public
understanding of underlying technologies and privacy
implications is often limited by their closed-source
nature. Lacking the funding and resources of
corporations and the intelligence community,
developing and expanding this understanding is a
sometimes tedious, but nonetheless important
process. In this sense, we document how we have
decrypted our own communication in the Thuraya
satellite network. We have used open-source software
to build on recent work which reverse-engineered and
cryptanalized both stream ciphers currently used in
the competing satellite communication standards
GMR-1 and GMR-2. To break Thuraya’s encryption
(which implements the GMR-1 standard) in a
real-world scenario, we have enhanced an existing
ciphertext-only attack. We have used common and
moderately expensive equipment to capture a live
call session and executed the described attack. We
show that, after computing less than an hour on
regular PC-hardware, we were able to obtain the
session key from a handful of speech data frames.
This effectively allows decryption of the entire
session, thus demonstrating that the Thuraya system
(and probably also SkyTerra and TerreStar, who are
currently implementing GMR-1) is weak at protecting
|Source code (top)
|In this section we make
available the reconstructed C-implementations of the
encryption algorithms found on the Thuraya SO-2510
(A5-GMR-1) and the Inmarsat IsatPhone PRO
Please note that
the respective hash-sums differ from previously posted hashes due
to added headers, minor editorial revisions and