Researchers in China have found a way to crack the encryption of satellite phones in real time. The new attack the researchers discovered builds on a previous attack on satellite phone encryption that researchers from Germany discovered back in 2012. Both attacks target GEO-Mobile Radio Interface (GMR) ciphers known as GMR-1 and GMR-2, which is what is used to encrypt satellite phone conversations that are made through providers such as ACeS, ICO, Inmarsat, SkyTerra, TerreStar, and Thuraya. The GMR ciphers were originally developed by the European Telecommunications Standards Institute (ETSI), a non-profit standardization organization. Satellite phones are often used in isolated places, at high elevation, and on ships at sea. ETSI is the same organization that developed the similarly insecure Global System for Mobile (GSM) cipher which is used to encrypt transmissions for cellular phone networks.
In the Chinese researchers new paper, they describe how their attack is much faster than previous attacks on GMR encryption. Their attack consists of three phases beginning with table generation, then dynamic table lookups, filtration and combination, and finally verification. Instead of using a known-plaintext attack like the previous researchers used, the Chinese researchers reverse engineered GMR encryption from the output keystream. “This again demonstrates that there exists serious security flaws in the GMR-2 cipher, and it is crucial for service providers to upgrade the cryptographic modules of the system in order to provide confidential communication,” the Chinese researchers are reported as saying by ZDNet.
A spokesman from Inmarsat claimed that the company had addressed the problem back in 2012, but cryptographic researchers are still warning not to trust the encryption on satellite phones. The encryption must have actually been broken well before the research from Germany came out in 2012, because intelligence agencies, militaries, and law enforcement have had the ability to intercept satellite communications for quite a while. Law enforcement and hackers can use devices to intercept satellite phones as well, similar to the way they can intercept cellular phone traffic through the use of IMSI catchers, which are more popularly known as Stingrays. Intelligence agencies from Five Eyes countries such as the United States’ NSA and NRO and the United Kingdom’s GCHQ have been listening in on satellite phone conversations for decades through their ECHELON surveillance program.
In 2008, the Israeli Ministry of Defense gave approval to Elta Systems Ltd., a branch of state owned Israel Aerospace Industries Ltd., to export the EL/K-7099 portable satellite interception device. The EL/K-7099 can intercept satellite phone calls made with L-band satellite providers such as Globalstar, Inmarsat, Iridium, and Thuraya. The EL/K-7099 is portable and utilizes a laptop computer. At the time a company from the United Kingdom called K9 Electronics was also selling a similar device for intercept satellite phone communications. The device from K9 Electronics intercepts satellite phones made over L-band satellite streams, in addition to being able to intercept satellite data from Asia Pacific Mobile Telecommunications satellites.
Documents leaked by whistleblower Edward Snowden and published by Der Spiegel show that a GCHQ listening post known as GCHQ Bude, which is one of the many ECHELON listening stations positioned around the world, was intercepting entire country-to-country satellite communications. These intercepts included communications from officials in the German government. In the security analysis published by the German researchers in 2012, titled “Don’t Trust Satellite Phones”, they found that another cipher used for some satellite phone traffic encryption called Universal Mobile Telecommunications System (UMTS), and the related Wideband Code Division Multiple Access (W-CDMA) was also vulnerable to being intercepted and decrypted. W-CDMA is used by 3G mobile networks, but is also used in the Mobile User Objective System (MUOS) of military satellites. It seems clear that if a user plans to talk or text on a satellite phone, they should be using additional encryption that is strong and not already cracked. There are adapters that convert regular Android and iOS smartphones into satellite phones, and if you are using one of those, you can use encrypted voice and text apps such as Signal or Tox to avoid having your communications being easily decrypted and snooped on. You definitely shouldn’t trust just the basic encryption provided on satellite phone networks.