Team breaks satphone security

Satellite telephony – long thought to be secure against eavesdropping – is nothing of the sort, say researchers.

A team from the Horst Görtz Institute for IT-Security (HGI) at the Ruhr University Bochum (RUB) say they’ve cracked the European Telecommunications Standards Institute (ETSI) encryption algorithms  used globally for satellite telephones, and revealed significant weaknesses.

In less than an hour, and with simple equipment, they say, they found the crypto key needed to intercept telephone conversations. Using open-source software, they were then able to exploit security weaknesses.

In war zones, developing countries, on the high seas and in other areas where cellphone communication isn’t available, satellite phones are used instead.

The telephone is connected via radio directly to a satellite, which passes the incoming call to a station on the ground which, in turn, feeds it into the public telephone network. So far this method, which uses the ETSI encryption algorithms A5-GMR-1 and A5-GMR-2, was considered secure.

To crack this security, the team used commercially available equipment, and randomly selected two widely used satellite phones. A simple firmware update was loaded from the provider’s website for each phone.

The team then attempted to reconstruct the encryption mechanism – and found that the encryption of the GMR-1 standard showed similarities to the one used in GSM, the most common mobile phone system.

“Since the GSM cipher had already been cracked, we were able to adopt the method and use it for our attack,” says Benedikt Driessen, of the Chair for Embedded Security at the RUB.

To test this in practice, the research group recorded their own satellite telephone conversations and developed a new attack based on the analysis.

“We were surprised by the total lack of protection measures, which would have complicated our work drastically,” says Carsten Willems of the RUB.