New report finds early cell phone encryption algorithm was intentionally weakened by design
Researchers from universities across Europe recently published a paper in which they speculated that a weakness uncovered in the GEA-1 encryption algorithm wasn’t by chance. Turns out, they were right.
As Vice highlights, GEA-1 was used to encrypt cell phone data primarily in the 1990s and 2000s. The algorithm was originally said to offer full 64-bit security but in their cryptanalysis, the team found that its security was limited to just 40-bit, by design.
In its paper, the team said they obtained the proprietary GEA-1 and GEA-2 algorithms from a source that wished to remain anonymous. This allowed them to conduct a full analysis and discover the weakness, which seemed “unlikely to occur by chance.”
An attacker with the ability to intercept cell phone data traffic could have exploited the weakness to decrypt all messages in a session.
Vice reached out to the organization that designed GEA-1, the European Telecommunications Standards Institute (ETSI). In an e-mailed statement, a spokesperson admitted that the algorithm did contain a weakness, but that it was introduced because it had to be.
“We followed regulations: we followed export control regulations that limited the strength of GEA-1,” the spokesperson said.
The export regulations the spokesperson mentioned were common at the time. According to The Register, France had one such rule in place that banned anything over 40-bit encryption.
“To meet political requirements, millions of users were apparently poorly protected while surfing for years,” said Håvard Raddum, a researcher that worked on the paper.
The issue here, of course, is the fact that the GEA-1 standard made no mention of any export restrictions at the time.
The team additionally found that the GEA-2 algorithm was also susceptible to attack, albeit through a more technical approach. Fortunately, neither standard is widely used as newer algorithms are now preferred. Still, some countries and networks apparently still rely on then as a fallback.