After academic research revealed in the Summer 2021, that the initial GPRS encryption algorithm GEA-1 had almost certainly been intentionally weakened, and indicating potential flaws in GEA-2 too, P1 Security decided to re-implement these algorithms from the research paper and to release these implementations as open-source. This is done as part of an effort to help understanding the algorithms themselves, as well as the security flaws exposed by the researchers.
GPRS Evolution
GPRS has been developed in the 90’s, in order to reuse the GSM radio interface with the intent to transport packet-based communications. Similarly as with GSM, two distinct encryption algorithms have been proposed, and implemented in the handsets on the subscriber side, as well as the SGSN on the serving network side. And just like with GSM and A5/2, one of the two GPRS algorithms, GEA-1, has been significantly weakened, in order to ease cryptanalysis and passive decryption. But unlike A5/2, which support was removed from handset years ago, GEA-1 is still massively supported in recent terminals and modems.
At the time where these GSM and GPRS algorithms have been designed, it was believed that attacks over a digital radio interface could only be intended by the largest intelligence services. Moreover, the original encryption algorithms proposed for GPRS were built with an approximate lifetime of 10 years in mind. Unfortunately, GSM and GPRS have since been massively deployed all over the world, and encountered huge commercial success. Therefore, even if some operators started decommissioning their 2G networks (or are planning to), we probably will still have GSM and GPRS (together with SS7) functional all over the world in 2025, may be even in 2030, in 2040… Who knows?
Intercepting GPRS
With all the technological progress made in the last decades, it has now become easy for a “lonely” engineer to build a reliable GSM / GPRS interception system: building an active one being the easiest, but building a passive one being also feasible. So ideally, GEA1 (and GEA2 in the near future) should not only be phased out by operators, but also by handset manufacturers. The alternative algorithms GEA3 and GEA4 have been standardized more than 10 years ago as of today, and certain networks worldwide are still relying on GEA2, more rarely on GEA1 (according to this excellent report, certain operators even do not bother to encrypt GPRS communications…). To make things worse, no baseband manufacturer seems to be willing to stop supporting these in their products, thus leaving all subscribers more exposed to the interception of their GPRS communications; no matter whether they are a human trying nervously to refresh a dummy web page over a 42kb/s channel, or an industrial robot baking uranium pellets and reporting about the temperature of the oven.
A first warning was made in the very early 2010’s, when researchers around the osmocom-bb project and from SRLabs published results about the state of security of GPRS communication, including a warning stating that GEA-1 looked relatively weak. The cellular worldwide infrastructure is, however, a big beast, and sometimes requires more than a decade to address privacy issues. Fortunately, recently, a common effort was performed by researchers who published an excellent paper where they explained in great detail the inner workings of GEA-1 and GEA-2, and provided a very realistic cryptanalysis against GEA-1. It has been followed straight with an extended study and attack on GEA-1 and GEA-like stream ciphers in this other paper, too. In parallel, the Airbus Security Lab released an implementation for the key-recovery attack against GEA-1. One can only hope this helps executives to decide to definitively phase out GEA-1 (and 2) from infrastructures and handsets.
In order to further understand and study those two GPRS encryption algorithms, we at P1 Security decided to implement these from the concerned research paper, now published on GitHub. We produced a naive Python implementation first, in order to confirm we implemented them correctly, and then moved to more conventional implementations in C and Rust. We hope this can help further researchers to study these old algorithms, and help understanding the vulnerabilities they introduce in current GPRS networks and handsets.