For years, mobile data exchanged by cell phones (emails, photos, messages on social networks, etc.) have been able to be deciphered without realizing it. The two algorithms used to secure the transmission of data indeed have a flaw, discovered by a Franco-German team and uploaded on June 15, before being exhibited at the domain’s premier conference, Eurocrypt, next November. The worst part is that this weakness would have been voluntary, to satisfy trade rules prohibiting overly robust encryption systems.
“In less than thirty minutes, with a server having 4 processors with 256 cores in total, we can find the decryption key to read the data sent by a phone. Ten years ago, with the capabilities of the time, this would also have been doable in about a day ”, says Gaëtan Leurent, researcher at the National Institute for Research in Digital Sciences and Technologies (Inria), associated for this publication with colleagues from the universities of the Ruhr (Bochum, Germany), Rennes, Paris-Saclay, Versailles Saint-Quentin and CNRS.
Algorithms still in use
Even if their demonstration covers techniques replaced by others since 2013, these “old” algorithms still survive in phones released in 2018, even though they are supposed to be banned from these devices. The German company Umlaut indicates, in a report published on June 16, have even found an operator in Asia who was still using it in 2020. The researchers also believe it is possible to force a phone to switch to the old system, without the knowledge of its user, thus allowing decryption (except perhaps for connections to the web, where now an additional layer of encryption is applied).
“The reasons these systems persist is that their replacement is expensive. It requires updates not only of the software, but also of the hardware of the base stations where the antennas are located ”, recalls Bart Preneel, professor of cryptanalysis at the Catholic University of Louvain (Belgium), who did not take part in this study, which he considers “Excellent”. The systems concerned are linked to the so-called 2G (GPRS) or 2.5G (EDGE) mobile telephony standards and more particularly to two of their algorithms, GEA-1 and GEA-2, designed at the end of the 1990s and used to encrypt data. data other than voice (which is not encrypted).
You have 45.08% of this article left to read. The rest is for subscribers only.