This 90’s Encryption Backdoor Flaw Still Exists in Modern Devices

A recently discovered issue in the encryption algorithm GEA-1, which is used to encrypt data connections in mobile phones, is ringing cybersecurity alarms as it affects many mobile devices. Even newer models of smartphones are said to be affected.

This newly detected but decades-old cybersecurity threat is not some highly sophisticated and creative approach in defeating security controls. It is also not an aggressive attack that overwhelms servers or installs malicious software in systems. It is a vulnerability that may or may not have been used by bad actors over the past decades.

An intentionally weak encryption algorithm?

The problem was first disclosed by a research team from Ruhr-Universität Bochum (RUB). After analyzing the encryption algorithm GEA-1, they concluded that it is remarkably easy to break. The team suggested that it could be designed to be deliberately weak to serve as a backdoor.

GEA-1 was introduced by the European Telecommunications Standards Institute (ETSI) in 1998 to provide 64-bit encryption for data traffic such as email sending and web data transmission. The problem is that the researchers discovered that this algorithm reportedly only offers 40-bit encryption. Also, the way this algorithm’s encryption keys are subdivided makes the encryption relatively easy to decrypt.

RUB researcher Dr. Christof Beierl said that this algorithm weakness could not have been coincidental or unwitting. “According to our experimental analysis, having six correct numbers in the German lottery twice in a row is about as likely as having these properties of the key occur by chance,” Beierl said.

GEA-1 does not pass current standards for reliable data encryption. At present, more advanced standards are being employed including GEA-3, GEA-4, Triple DES, RSA, Blowfish, Twofish, The Advanced Encryption Standard (AES), and Elliptic Curve Cryptography (ECC).

The researchers thought that the GEA-1 algorithm should have already disappeared several years ago. It should have ceased existing in modern mobile devices as early as 2013, with the emergence of digital mobile phone standards beyond GPRS. The GEA-1 algorithm is associated with the now obsolete GPRS or 2G standard. However, the group of researchers revealed that they found the algorithm in current Android and iOS mobile phones.

The researchers say that GEA-1 is being kept in modern devices as a backup encryption algorithm in some Android and iOS devices including the Huawei P9 Lite and iPhone XR. The standards for these mobile devices specifically ban support for GEA-1. That’s why it is surprising how the algorithm is being used as a backup.

Similar issue with GEA-2

The research team also evaluated the GEA-2 encryption algorithm and found similar issues. Gregor Leander, one of the researchers involved in the study, mused that this second-generation algorithm was likely an upgrade intended to address the weaknesses of its predecessor. “GEA-2 was hardly better, though,” Leander said. If it is any consolation, Leander noted that the security weakness of GEA-2 was likely not intentional.

The details of the study are presented in Cryptology ePrint Archive: Report 2021/819. “In contrast, for GEA-2 we did not discover the same intentional weakness. However, using a combination of algebraic techniques and list merging algorithms we are still able to break GEA-2 in time 245.1 GEA-2 evaluations. The main practical hurdle is the required knowledge of 1600 bytes of the keystream,” the report wrote.

Impact of the vulnerability

In an interview with The Register, Professor Matthew Green of the Johns Hopkins Information Security Institute inferred the seeming pattern of deliberately weak encryption standards from the European standards bodies from the 1990s through the 2000s. “I think this was unfortunate and probably did damage to people in the long run,” Green suggested.

This security weakness can be rather easy to exploit. A rogue phone mast, for example, can downgrade the data traffic encryption of nearby devices to GEA-1. Phones that support the GEA-1 and GEA-2 algorithms will be forced to downgrade their encryption if an attacker manages to exploit the vulnerability.

“There are devices called Stingrays that do this for law enforcement, but I doubt law enforcement are the only people who have access to this technology,” Green said. Stingrays can successfully snoop usernames, passwords, and other unencrypted or minimally protected data, as they imitate the functions of a cellular tower, thus tricking mobile devices into connecting to them.

Unfortunately, the researchers did not release a full list of devices that are affected by this newly discovered old cyber threat. Device specifications nowadays also do not mention anything about GEA-1 and GEA-2 support. It would be difficult to determine if a device can be manipulated into downgrading its data encryption to GEA-1 or GEA-2.

However, since this problem has already been made public, manufacturers are likely to release security patches or firmware updates to address the threat. To avoid becoming victims of cyber-attacks that leverage the GEA-1 and GEA-2 vulnerabilities, it is important for everyone to make sure that they update their software or firmware.

GEA-1 support cannot be disabled through the settings of a smartphone or by some other DIY procedures. The only way to get rid of it is through a firmware/software update, something only the device manufacturers can do. Device users cannot get rid of GEA-1 on their own. Reformatting or flashing a new firmware to their devices is not going to solve the problem.

No need to panic

Despite the potential for the vulnerability to be taken advantage of by cybercriminals, the RUB research team said that it no longer poses a significant threat. “Even though intelligence services and ministers of the interior understandably want such backdoors to exist, they are not at all useful,”  the researchers said.

The main concern about this newly unveiled security threat is that it may be used by government bodies to spy on individuals or organizations. As the researchers declared, there is little to be worried about when it comes to governments using weak encryption as a backdoor. “After all, they are not the only ones who can exploit these vulnerabilities, any other attackers can exploit them as well. Our research shows: once a backdoor is implemented, it is very difficult to remove it,” the research team explained.

However, the threat of cybercriminals exploiting the vulnerability for their felonious objectives remains. Device users are not helpless against these threats, though. The key solution is to make sure that the devices used are properly updated.