Enlarge image
The iPhone XR also used the GEA-1 encryption standard
Photo: Marcio Jose Sanchez / picture alliance / dpa / AP
For decades, cellular data was apparently easier prey for criminal hackers or secret services than was widely assumed: Security experts from Germany, France and Norway believe that programmers deliberately built a security hole into the encryption of the 2G cellular network in the 1990s.
According to the research report (PDF), data transmitted via GPRS and Edge are encrypted much worse than promised. When the encryption standard GEA-1 was published in 1998, it was stated that 2G cellular data is encoded with 64 bits. However, the scientists found that it is actually just 40-bit encryption that can be easily leveraged. This would have made it possible, with a successful brute force attack, both to read the emails of individual people and to log websites that they visited.
Gregor Leander excludes a programming mistake from the research team. Together with seven other colleagues, the IT expert examined the source text of the GEA-1 encryption, which had been kept secret for a long time, and which had now been leaked to them. In an interview with SPIEGEL, the professor from the CASA cybersecurity team at Ruhr-Universität Bochum says: "It doesn't happen by chance." It took the research team about a week to discover the vulnerability in the source code. "It's a totally inconspicuous place in the code," says Gregor Leander.
According to Leander, the crux of the matter is the 40-bit encryption.
Until the year 2000, this was the maximum permitted encryption length for software in Europe and the USA, which was also intended for export.
The calculated probability that precisely this bit size in GEA-1 is an oversight is as large as winning the lottery twice in a row, says the researcher.
40-bit keys are much easier to crack
Even if a difference of 24 bits sounds like little at first, the consequences are enormous.
Because the coding strength increases exponentially with every bit.
"I can crack a 40-bit key with my laptop," says Leander.
"For 64-bit I need almost 17 million times more performance and thus an entire data center."
more on the subject
Expensive device fees: How Telekom and Vodafone let their customers pay endlesslyBy Stefan Schultz and Guido Grigat (data)
Due to the artificially reduced encryption, it was theoretically possible for attackers to crack the code if they only knew 65 bits of the original text, e.g. a sequence of characters with seven letters or punctuation marks.
It would have been enough for you to know that the victim would enter "http: //" at a certain point in the browser line in order to decrypt the rest of the data.
A spokeswoman for the European Telecommunication Standards Institute (Etsi) told SPIEGEL that GEA encryption will no longer play a role in modern mobile communications standards in the future.
On Thursday the international mobile communications committee 3GPP decided that manufacturers are advised not to use either GEA-1 or GEA-2.
GEA-1 is also banned from older mobile radio standards - and GEA-2 with a calculated 45-bit encryption is strongly discouraged.
At the end of the nineties, transmission with GPRS and Edge with up to 220 kilobits per second was the fastest way to surf the Internet while on the move.
The standard is now out of date.
3G followed a few years later, nowadays most smartphones access their data via LTE or even 5G at rates of several hundred megabits per second.
Apple and Samsung respond to vulnerabilities
However, some current smartphones still rely on the risky encryption technology.
According to the researchers, comparatively modern cell phones such as the Samsung Galaxy S9, the iPhone XR (both came on the market in 2018) and the Huawei P9 Lite from 2016 are switching to the nationwide GSM network in regions with poor reception - and also to encryption with GEA -1.
According to the scientists, at least metadata can still be accessed in these cases.
more on the subject
WiFi-Calling: Telephoning via WLAN instead of cellular network - does that make sense? By "c't" editor Urs Mansmann
According to the »Süddeutsche Zeitung«, the manufacturers have already responded to the research group's advice.
Samsung wants to gradually remove support from GEA-1 for all Galaxy devices by means of a software update.
Apple ended support for GEA-1 for iPhone models 7 to 11 with the update to iOS 14.5 in April.
With iOS 15, this should also be implemented for the iPhones SE and the iPhone 6s.
Nowadays, however, there is hardly any danger from the weak point.
This not only has to do with the fact that cell phones hardly ever access the GSM network.
Websites and apps are now also better protected by SSL encryption, which additionally secures data on the way from the user to online servers.
It is also no longer common for the source text of international standards to remain secret. "Today the algorithms are usually open-source," says Leander.
