[Security] Satellite phone encryption cracked
Security researchers have warned that the satellite phones relied on by businesses, charities and government agencies in trouble spots and emergencies worldwide can be easily intercepted and deciphered.
German academics said they had cracked two encryption systems used to protect satellite phone signals and that anyone with cheap computer equipment and radio could eavesdrop on calls over an entire continent. Hundreds of thousands of satellite phone users are thought to be affected.
“We were able to completely reverse engineer the encryption algorithms employed,” said Benedikt Driessen and Ralf Hund of Ruhr University Bochum as they announced their report, "Don't Trust Satellite Phones".
The encryption algorithms are known as GMR-1 and GMR-2, and are standards used across satellite phone operators, including Thuraya, a leading providers. Their technology is widely used in the Middle East and Africa, including in some military applications.
Mr Driessen told The Telegraph that the equipment and software needed to intercept and decrypt satellite phone calls from hundreds of thousands of users would cost as little as $2,000. His demonstration system takes up to half an hour to decipher a call, but a more powerful computer would allow eavesdropping in real time, he said.
By publishing details of how to break the encryption, the researchers hope to prompt ETSI, the organization that sets the standards, to create stronger algorithms. A major problem with GMR-1 and GMR-2, Mr Driessen said, was that their details were kept secret so security experts cannot test them.
“This is actually already happening for mobile phones after their encryption was shown to be weak,” said Mr Driessen.
“They are now disclosing the encryption algorithms rather than keeping them secret, so they can be tested. This did not happen with satellite phones.”
As a result, sensitive organisations deploy extra layers of cipher software in their satellite phones. Experts have long suspected that government eavesdropping agencies and other clandestine attackers are able to monitor satellite phone networks on a large scale, so using additional encryption software is quite common, but not standard.
"Many government agencies, including the military, make many of their communications through their own technology," said Bjoern Rupp, chief executive of GSMK Crytophone, an encryption software firm.
"However, they often still rely on satellite phones to communicate with locals, back to HQ or people at home.
"With this announcement, it has been shown that the satellite handsets’ built-in encryption on these calls is no longer secure, which could pose a considerable threat to the armed forces and civilians alike."
The Telegraph understands that the problem does not effect Inmarsat satphones as they do not use the ETSI GMR-1 and GMR-2 encryption