GPRS-era mobile data encryption algorithm GEA/1 was 'weak by design', still lingers in today's phones The GEA/1 encryption algorithm used by GPRS phones in the 1990s was seemingly designed to be weaker than it appears to allow eavesdropping, according to European researchers. The algorithm was introduced in 1998 by the European Telecommunications Standards Institute (ETSI). It was supposed to provide 64-bit encryption for data …
Where do I start? Standards like this are created in standards organisations: ETSI, 3GPP, GSMA, IEEE, etc, etc, and are made up of employees of:
Telecoms operators
Handset providers
Network equipment manufacturers
Others
"Others" includes people like Apple. consultancies and...... Have a guess.....
@Claptrap314, you are forgetting that one of the Five Eyes is itself in Europe. And also that every country's intelligence agency wants to make things easier for themself to peek at communications, even their friends and neighbours, "just in case". I'd be more surprised if they weren't making "suggestions", either directly or indirectly, on how the encryption standard should work.
Public infrastructure is never going to be secure. There are too many interests to intercept. Therefore never trust the default "encryption" and use an encrypted tunnel you control. You would not use a telnet session inside an ipsec tunnel. You'd still use ssh. Also, you send pgp email, even though the general smtp links are tls links nowadays.
The examples are all a secure channel inside a supposedly secure channel. The security starts when you are in control.
The GEA/x encryption is between phone and service provider.
If government agencies want your data, they can go to the service provider and get it after it has been decrypted. Therefore, GEA is intended to guard against 'other' agencies (foreign, probably) snooping.
Whatever the case, you should be using your own secure channel on top of whatever your service provider supplies.
Same goes for all the VPN services that are popular now: they're guarding against an untrusted local ISP, but the data is still unprotected when it leaves the VPN provider.
I was counting on readers figuring that out quickly. There's our western "leader of the free world" (this makes many people want to puke, including me) telling the evil Russian - alleged - hackers to stop hacking. There's our free Western world putting in backdoors everywhere... Do the math.
In Germany, all 3G networks are being decommissioned at light-speed. At the same time, companies like O2 / Telefónica have failed with a widespread rollout of voice-over-LTE, and also, many phones don't support it.
The argument is, that in a few years time we'll have widespread 5G, which will fulfill what was promised (and so far underdelivered) for 4G/LTE years ago.
That leaves you with - again - 2G (!!) for voice in many places, which is decades old, totally insecure and sounds antique.
Beat that.
That's already been decommissioned in the US, and 3G is due for the chop next year. But as I understand it 2G will be around in most of Europe until the end of 2025. Maybe phones need a setting to allow you to disable 2G?
Not that anyone should believe LTE and 5G encryption is unbreakable, but I guess at least it is better. Anyone know if those standards allow "no encryption" so the forced downgrade attacks could still work or has that at least been fixed in those newer standards?
The existence of a few towers doesn't mean phones should still support it. I expect the modem Apple is working on will support LTE and 5G only, both to make the task easier and reduce the patent royalties and because the number of places that will have no LTE or 5G but are covered by 3G let alone 2G will be basically nonexistent by fall 2022 or 2023 when it is expected to appear.
Qualcomm will probably leave that stuff in forever because it is like real mode or segments in a modern x86 processor - it is easier to leave that stuff in there and not touch than try to remove it and worry about unknown dependencies.
As per the law n°90-1170, cryptography was free as long as the government had full access (art. 28, I, 1°)
https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000006421084/2002-01-01/
I feel terribly sorry now for having been a military weapons smuggler for years. At time, I even illegally exported them from the US *and* illegally imported them in France *on the very same day*.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
