German researchers claim they have found weaknesses in two commonly-used satellite encryption protocols that could render them vulnerable to eavesdropping in real time.
In the paper titled Don't Trust Satellite Phones (currently available only as an abstract), Benedikt Driessen and Ralf Hund of Ruhr University describe how they reverse engineered the GMR-1 and GMR-2 encryption algorithms or stream ciphers used to secure voice traffic on a range of commercial satellite networks.
The pair attacked different digital signal processor (DSP) firmware updates for two handsets, Thuraya’s GMR-1-based SO-2510, and Inmarsat’s GMR-2 IsatPhonePro, extracting the encryption keys used to secure communications in half an hour using a $2,000 setup.
According to an interview with the Daily Telegraph, the researchers believe a more powerful system could achieve the same results in real time, necessary in most cases for eavesdropping to be useful.
The market for satellite phones is extremely niche – explorations businesses, the military, rescue services – with up to half a million subscriptions worldwide.
Some caveats. The discoveries of Driessen and Hund are unlikely to worry the military or government, which invariably add extra layers of their own encryption, implemented in software on handsets, above and beyond GMR-1/2. An example of this would be Cellcrypt's Cellcrypt Mobile for Satellite software, and there will be FIPS-140-2 compliant equivalents available from other companies.
This theoretical attack is mainly for commercial users who don’t employ extra security and ETSI, the standards body that looks after GMR-1 and 2/.
“Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design,” said the researchers.
Interestingly, this reference to A5/2 echoes a hack of the A5/1 algorithm used to secure GSM phone calls two years ago by fellow-German researcher, Karsten Nohl. As with the latest attack, the important element of this was the ability to identify and capture the call stream, decrypting it in real time rather than doing so retrospectively or by deploying huge computing power.
Nohl followed this up last year with another and even more audacious attack based on a compromised Motorola handset.