The encryption of the first mobile Internet connection via GPRS could be bypassed for years without much effort, a current study shows. The researchers are certain: it cannot be a coincidence.
The gap has existed for decades: The technology used to encrypt the GPRS mobile radio standard can be levered out without much effort, as researchers from universities in France, Norway and Germany have shown in a joint study. This finding is particularly explosive because of the very clear classification of the gap: “It is extremely unlikely that it was a coincidence,” the researchers are certain.
The clear implication: The alleged gap is a back door to be able to read the data running over the connection. “It’s like a bicycle lock that you believe is safe, but has a weak point built in. If you know it, you can crack it in no time,” one of the researchers involved from the Ruhr University in Bochum told the “Süddeutsche Zeitung”. “In our case, no bike is gone, but the attacker can see what you are doing on the mobile Internet.”
“Like two sixes in the lottery”
It is not self-evident that the error was discovered, the algorithm used to encrypt the GPRS standard from 1998 onwards is secret, and the researchers came into possession of the program code of the first two versions of the encryption protocol from sources not mentioned. The error can be found in the first variant and lies in the fact that the keys used are considerably shorter than they should be. This allows the protection to be levered out quickly.
It couldn’t be a coincidence, the researchers concluded. In order to test their thesis, the researchers had a corresponding algorithm generated automatically. The result was clear: in one million tests, none was as unsafe as the one actually used. “You would have to win six correct numbers in the lottery on two Saturdays in a row, so it is so likely that it was not deliberately weakened,” said the researcher involved, Christof Beierle.
Political decision
In fact, the suspicion has meanwhile been confirmed: the encryption could not be implemented sufficiently strong, explained a spokesman for the European Institute for Telecommunications Standards responsible for development to “Vice”. It was a political decision. “We had to adhere to the requirements, the export control regulations did not allow stronger encryption at the time.” The researchers can only understand that to a limited extent. “In order to meet political claims, millions of users apparently had to live with being poorly protected while surfing,” the magazine quotes one of the Norwegian co-authors of the study.
The effects of the decision still make the Internet less secure today, but the risk is only very small due to the small number of connections via GPRS. The strength was already increased with the second variant of the encryption technology, the following standards UMTS and LTE are no longer affected anyway.
Even today, however, the gap is still not entirely without possible effects. If the network is poor, many mobile phone providers use GPRS as an emergency solution; the use of the vulnerable encryption version can also be forced under certain conditions. It is still used by many modern devices more than 20 years after its introduction: The researchers name, for example, the iPhone Xr, Samsung Galaxy S9 and Huawei P9 Lite as devices that can still transmit using the old standard. The association of mobile phone manufacturers and providers, the GSMA, is therefore already working on abolishing the standard entirely, according to the Süddeutsche Zeitung.
David William is a talented author who has made a name for himself in the world of writing. He is a professional author who writes on a wide range of topics, from general interest to opinion news. David is currently working as a writer at 24 hours worlds where he brings his unique perspective and in-depth research to his articles, making them both informative and engaging.
