Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards

@article{Driessen2012DontTS,
  title={Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards},
  author={Benedikt Driessen and Ralf Hund and Carsten Willems and Christof Paar and Thorsten Holz},
  journal={2012 IEEE Symposium on Security and Privacy},
  year={2012},
  pages={128-142}
}
There is a rich body of work related to the security aspects of cellular mobile phones, in particular with respect to the GSM and UMTS systems. [] Key Method We were able to adopt known A5/2 cipher text-only attacks to the GMR-1 algorithm with an average case complexity of 232 steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50-65…
An experimental security analysis of two satphone standards
TLDR
Develop and demonstrate more practical attacks on A5-GMR-1, summarize current research results in the field of GMR-1 andGMR-2 security, and shed light on the amount of work and expertise it takes from setting out to analyze a complex system to actually break it in the real world are shed.
Eavesdropping on Satellite Telecommunication Systems
  • B. Driessen
  • Computer Science
    IACR Cryptol. ePrint Arch.
  • 2012
TLDR
It is demonstrated that the Thuraya system (and probably also SkyTerra and TerreStar, who are currently implementing GMR-1) is weak at protecting privacy.
A real-time inversion attack on the GMR-2 cipher used in the satellite phones
TLDR
This paper proposes an unprecedented real-time inversion attack using a single-frame keystream of the GMR-2 cipher and demonstrates that the 64-bit encryption-key could be recovered in approximately 0.02 s on average.
The (in)security of proprietary cryptography
TLDR
The technical part of this doctoral dissertation presents serious weaknesses in widely deployed proprietary cryptosystems, which are still actively used by billions of consumers in their daily lives.
Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer
TLDR
This article reveals several weaknesses in the design of the cipher, the authentication protocol and also in their implementation of the Megamos Crypto transponder and proposes a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.
SECURED RFID M UTUAL AUTHENTICATION SCHEME FOR M IFARE SYSTEMS
TLDR
A scheme to improve the mechanisms for authentication, no additional secret parameters into the standard, solely by readers and tags communication between the timing of the change of use of the secret p arameters.
Wirelessly lockpicking a smart card reader
TLDR
R reverse engineered all security mechanisms in the HID iClass including cipher, authentication protocol and also key diversification algorithms, which are published in full detail, and found six critical weaknesses that are exploited in two attacks, one against iClass Standard and one againstiClass Elite.
Initialisation flaws in the A5-GMR-1 satphone encryption algorithm
TLDR
Analysis of the initialisation process for the keystream generator reveals serious flaws which significantly reduce the number of distinct keystreams that the generator can produce, making generic time-memory tradeoff attacks on the cipher feasible.
A Low Data Complexity Attack on the GMR-2 Cipher Used in the Satellite Phones
TLDR
An efficient known plaintext attack is proposed to recover the encryption key (a session key with 64-bit) with approximately 5–6 frames (50–65 bytes) of keystream for the newly designed GMR-2 cipher.
A real-time attack on the GMR-2 encryption algorithm in satellite phones
TLDR
Using the relationship of the rows of the two s-boxes and outputs of the F coordinate, the GMR-2 algorithm is attacked, and the happening probability of read-collision is deduced, and its mathematical expectation is analyzed.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 35 REFERENCES
Eavesdropping on Satellite Telecommunication Systems
  • B. Driessen
  • Computer Science
    IACR Cryptol. ePrint Arch.
  • 2012
TLDR
It is demonstrated that the Thuraya system (and probably also SkyTerra and TerreStar, who are currently implementing GMR-1) is weak at protecting privacy.
Real Time Cryptanalysis of A5/1 on a PC
TLDR
New attacks on A5/1 are described, which are based on subtle flaws in the tap structure of the registers, their noninvertible clocking mechanism, and their frequent resets, which make it vulnerable to hardware-based attacks by large organizations, but not to software- based attacks on multiple targets by hackers.
A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony
TLDR
A new type of attack is described called a sandwich attack, and it is used to construct a simple related-key distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2−14, which indicates that the modifications made by ETSI’s SAGE group in moving from MISTY to KASumI made it extremely weak when related- key attacks are allowed.
Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication
TLDR
A very practical ciphertext-only cryptanalysis of GSM encrypted communication, and various active attacks on the GSM protocols, which allow attackers to tap conversations and decrypt them either in real-time, or at any later time.
Anatomy of contemporary GSM cellphone hardware
TLDR
This paper is an attempt to serve as an introductory text into the hardware architecture of contemporary GSM mobile phone hardware anatomy and is intended to widen the technical background on mobile phones within the IT community.
Cryptanalysis of Alleged A 5 Stream Cipher
TLDR
A time-memory trade-off attack based on the birthday paradox which yields the unknown internal state at a known time for a known keystream sequence is pointed out and successful if T .
Cryptanalysis of the A5/2 Algorithm
An attack on the A5/2 stream cipher algorithm is described, that determines the linear relations among the output sequence bits. The vast majority of the unknown output bits can be reconstructed. The
A Hardware-Assisted Realtime Attack on A5/2 Without Precomputations
TLDR
A hardware-only attacker immediately recovers the initial secret state of A5/2 - which is sufficient for decrypting all frames of a session - using a few ciphertext frames without any precomputations and memory.
Another attack on A5/1
TLDR
This article presents a completely different attack on A5/1, based on ideas from correlation attacks, where the complexity of the proposed attack is almost independent of the shift-register length.
Cryptanalysis of Alleged A5 Stream Cipher
TLDR
A time-memory trade-off attack based on the birthday paradox which yields the unknown internal state at a known time for a known keystream sequence is pointed out, and a so-called internal state reversion attack is proposed and analyzed by the theory of critical and subcritical branching processes.
...
1
2
3
4
...