MoD unfazed by satellite phone encryption crack
The Ministry of Defence has said a satellite phone encryption crack by researchers will not affect UK military use of satellite phones.
The crack of the A5-GMR-1 and A5-GMR-2 encryption algorithms will not affect military operations, the Ministry of Defence (MoD) told ZDNet UK on Wednesday.
"All military users of mobile satellite communication systems are aware of the potential threats to such systems and are briefed explicitly that they are only authorised to pass unclassified information (both voice and data) over these systems," an MoD spokeswoman said in an email statement. "Protected information is never sent over an unclassified system, unless it is being employed in conjunction with an accredited secure device."
ZDNet UK understands that the MoD requires additional encryption to transmit classified information.
MI5 and the Secret Intelligence Service (SIS) declined to comment on use of satellite phones by the intelligence services. "We don't comment on operational security cases," a spokeswoman for the intelligence services told ZDNet UK on Tuesday.
Satellite phones are used by organisations operating outside the coverage range of mobile phones — shipping, oil and gas exploration, and military use for example. A satellite phone establishes a radio link to a satellite, which transmits the incoming call to a ground station. The call is then passed to a telephone network.
The A5-GMR-1 and A5-GMR-2 encryption algorithms are embedded in two commonly-used satellite phone standards — GMR-1 and GMR-2.
German researchers claimed to have cracked the A5-GMR-1 and A5-GMR-2 encryption algorithms in two papers and an FAQ published on Tuesday. Researchers from Ruhr-University Bochum used open-source software and techniques associated with cracking GSM encryption to find "serious weaknesses" in the algorithms, they claimed.
The researchers obtained the algorithms by analysing software running on Thuraya SO-2510 and Inmarsat IsatPhone Pro phones. The Thuraya phone used the GMR-1 standard, according to the researchers.
"We have shown that we can decrypt communications secured according to the GMR-1 standard," said the researchers. "As a proof-of-concept, we have intercepted our own downlink (i.e. data sent from the satellite) speech data in the Thuraya network."
To intercept the communication, the researchers used a helical antenna connected to a universal software radio peripheral (USRP). To capture and demodulate speech data, the researchers used a PC running GNURadio and OsmocomGMR open-source software.
The researchers were not able to reproduce the conversation that had taken place on the Thuraya phone, as they did not know the speech codec for GMR-1. The codec is currently being reverse engineered by the OsmocomGMR open-source project, said the researchers.
Thuraya, a Dubai-based satellite phone and communications company, had not responded to requests for comment at the time of writing.
For the Inmarsat phone, the researchers said they had found a theoretical attack that they had not implemented. The researchers said that a known-plaintext attack — where an attacker knows or guesses at parts of the encrypted message — would work against A5-GMR-2 and the proprietary Inmarsat algorithm GMR-2+.
Inmarsat said on Wednesday that the theoretical attack detailed by the researchers was "a little bit of a stretch".
Using the method detailed by the researchers would only feasibly enable one half of a conversation to be intercepted, Inmarsat vice president of external affairs Chris McGaughlin told ZDNet UK. The researchers used antennas that intercept L-Band communications, which would only work to intercept the half of the call coming from the satellite (downlink), and would not reliably intercept the Inmarsat transmission going to the satellite (uplink), which uses C-Band.
Interception of the uplink satellite transmission would require a six-metre radio dish and supercomputing capabilities to scan the range of bands used by the satellite, said McGaughlin.
Customers that were concerned about protecting conversations using Inmarsat phones could add an additional layer of encryption, said McGaughlin. Inmarsat does not currently provide that encryption layer itself, but is considering offering military-grade encryption, McGaughlin added.
Benedikt Driessen, one of the researchers on the project, told ZDNet UK on Wednesday said that the attack against GMR-2 was likely to work.
"The attack we have performed targets Thuraya (GMR-1) only and does not apply to Inmarsat (GMR-2)," said Driessen in response to email questions. "That said, it is likely that something similar can be performed for Inmarsat, but we have not done so." Driessen said the researchers recorded the downlink for Thuraya, and didn't need to perform the attack during the call. "We record the entire call from start to end, do some analysis and after 30 minutes we have the encryption key for the call," said Driessen. "In fact, for our demo I just used a 20 seconds call."
Driessen said it was possible to record the entire call by intercepting L-Band communications.
"In my understanding of the specs, the entire satellite [to] satphone communication is using the L-band [for both] up- and downlink," said Driessen. "I don't see where the C-band fits into this, because this is mainly used for communication between satellite [to] gateway, which we don't need."
Driessen added that he and Inmarsat appeared to be talking at cross-purposes in their comments.
"I was talking about decryption, which is, given a working attack on the GMR-2 downlink which extracts the encryption key, trivial," said Driessen. "They are talking about reception: the downlink is broadcast to a huge area. They address the issue that — in order to receive uplink data from the L-band — the attacker would have to be quite close to the victim (the output power of the satphone is quite low). It seems this can apparently be overcome by listening to the C-band on which the satellite broadcasts uplink data from the phone, to the ground station which forwards this to landlines."