Study raises questions
“Like two sixes in the lottery one after the other”: was mobile communications deliberately poorly protected against eavesdropping?
Mobile phones are an indispensable part of our everyday life (symbol image)
© NoSystem images / Getty Images
The encryption of the first mobile Internet connection via GPRS could be leveraged for years without much effort, a recent study shows. The researchers are certain: a coincidence cannot be behind it.
The gap has existed for decades: The technology used for the encryption of the mobile radio standard GPRS can be leveraged without much effort, as researchers from universities in France, Norway and Germany showed in a joint work. This finding is particularly explosive because of the very clear classification of the gap:” It is extremely unlikely that this is a coincidence, ” the researchers are sure.
The clear implication: the supposed gap is a backdoor to be able to read the data running over the connection. “It’s like having a bike lock that you think is safe, but that has a vulnerability built in. If you know them, you can crack it in no time, “one of the researchers involved from the Ruhr University Bochum told the”Süddeutsche Zeitung”. “In our case, no bike is gone, but the attacker can see what you are doing on the mobile Internet.”
“Like two sixes in the lottery”
That the error was discovered is not self-evident, the algorithm used to encrypt the GPRS standard from 1998 is secret, the researchers came from unnamed sources into possession of the program code of the first two versions of the encryption protocol. The error is found in the first variant and lies in the fact that the keys used are considerably shorter than they should be. This allows the protection to be quickly levered out.
This could not be a coincidence, the researchers concluded. To test their thesis, the researchers had a corresponding algorithm automatically generated. The result was clear: In a million tests, no one was as uncertain as the one actually used. “Since you would have to win six correct numbers in the lottery on two Saturdays in a row, it is so likely that this was not deliberately weakened,” said the researcher involved Christof Beierle.
Political decision
In fact, the suspicion has now been confirmed: encryption has not been implemented sufficiently strongly, a spokesman for the European Institute for Telecommunications Standards responsible for development told “Vice”. This was a political decision. “We had to comply with the requirements, the regulations for export control did not allow stronger encryption at that time.”The researchers can understand this only to a limited extent. “In order to meet political demands, millions of users apparently had to live with being poorly protected while surfing,” the magazine quotes one of the Norwegian co-authors of the study.
The effects of the decision make the Internet even more insecure today, but the danger is only very small due to the small number of connections via GPRS. Already with the second variant of the encryption technology, the strength was increased, the following standards UMTS and LTE are no longer affected anyway.
Even today, however, the gap is not completely without potential effects. In case of a bad network, many mobile service providers use GPRS as an emergency solution, even the use of the vulnerable encryption version can be forced under certain conditions. This is still used by many modern devices over 20 years after the introduction: The researchers name iPhone Xr, Samsung Galaxy S9 and Huawei P9 Lite as devices that can also spark over the old standard. The Association of Mobile Manufacturers and Providers, the GSMA, is therefore already working to abolish the standard altogether, according to the Süddeutsche Zeitung.
Source: Study, Süddeutsche Zeitung, Vice
