According to a new research, early cell phone encryption algorithms were purposely designed to be weak.

Spread the love
New report finds early cell phone encryption algorithm was intentionally weakened by design

The company that created the algorithm has admitted its mistake.

Researchers from various European institutions recently released a report in which they hypothesised that a flaw discovered in the GEA-1 encryption method was not by coincidence. They were correct, as it turned out.

According to Vice, GEA-1 was largely used to encrypt cell phone data throughout the 1990s and 2000s. The method was originally claimed to provide complete 64-bit security, however the researchers discovered that its security was intentionally reduced to 40 bits during their cryptanalysis.

In its paper, the team said they obtained the proprietary GEA-1 and GEA-2 algorithms from a source that wished to remain anonymous. This allowed them to conduct a full analysis and discover the weakness, which seemed “unlikely to occur by chance.”

An attacker with the ability to intercept cell phone data traffic could have exploited the weakness to decrypt all messages in a session.

READ ALSO:  Microsoft has made an announcement. Designed for Acer, Asus, and Philips Xbox displays.

Vice reached out to the organization that designed GEA-1, the European Telecommunications Standards Institute (ETSI). In an e-mailed statement, a spokesperson admitted that the algorithm did contain a weakness, but that it was introduced because it had to be.

“We followed regulations: we followed export control regulations that limited the strength of GEA-1,” the spokesperson said.

The export regulations the spokesperson mentioned were common at the time. According to The Register, France had one such rule in place that banned anything over 40-bit encryption.

“To meet political requirements, millions of users were apparently poorly protected while surfing for years,” said Håvard Raddum, a researcher that worked on the paper.

The difficulty here, of course, is that the GEA-1 standard at the time made no mention of any export limitations.

The researchers also discovered that the GEA-2 algorithm was vulnerable to assault, albeit via a more sophisticated method. Fortunately, neither standard is commonly utilised anymore, as newer algorithms are favoured. Nonetheless, it appears that certain nations and networks continue to rely on them as a backup.

READ ALSO:  Intel confirms Marvel's Avengers Collector's Edition CPUs: cool packaging, but no game (updated)

 

Image credit Konstantin Katuev, gonin

 132 

Leave a Reply