The company that created the algorithm has admitted its mistake.
Researchers from various European institutions recently released a report in which they hypothesised that a flaw discovered in the GEA-1 encryption method was not by coincidence. They were correct, as it turned out.
According to Vice, GEA-1 was largely used to encrypt cell phone data throughout the 1990s and 2000s. The method was originally claimed to provide complete 64-bit security, however the researchers discovered that its security was intentionally reduced to 40 bits during their cryptanalysis.
In its paper, the team said they obtained the proprietary GEA-1 and GEA-2 algorithms from a source that wished to remain anonymous. This allowed them to conduct a full analysis and discover the weakness, which seemed “unlikely to occur by chance.”
An attacker with the ability to intercept cell phone data traffic could have exploited the weakness to decrypt all messages in a session.
Vice reached out to the organization that designed GEA-1, the European Telecommunications Standards Institute (ETSI). In an e-mailed statement, a spokesperson admitted that the algorithm did contain a weakness, but that it was introduced because it had to be.
“We followed regulations: we followed export control regulations that limited the strength of GEA-1,” the spokesperson said.
The export regulations the spokesperson mentioned were common at the time. According to The Register, France had one such rule in place that banned anything over 40-bit encryption.
“To meet political requirements, millions of users were apparently poorly protected while surfing for years,” said Håvard Raddum, a researcher that worked on the paper.
The difficulty here, of course, is that the GEA-1 standard at the time made no mention of any export limitations.
The researchers also discovered that the GEA-2 algorithm was vulnerable to assault, albeit via a more sophisticated method. Fortunately, neither standard is commonly utilised anymore, as newer algorithms are favoured. Nonetheless, it appears that certain nations and networks continue to rely on them as a backup.