International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
A Review on Security Analysis of Satellite Phones
Mr. Mayur B. Kachare1, Dr. Umesh S. Bhadade2
1
ME-Ist (Digital Electronics), 2Prof. and Head of Electronics and Telecommunication Department
12
S.S.B.Ts C.O.E.T. Bambhori, Jalgaon,
North Maharashtra University, Jalgaon- 425001, Maharashtra (India)
Abstract— There is lots of work related to the security of cellular
phones with respect to GSM and UMTS. But as per the survey
there is not a proper investigation related to the security aspects
of satellite phones. Security plays an important role for satellite
phones because of their application domains which are sensitive
in nature (e.g., natural disaster areas or military areas).
In this paper, the encryption systems used in two
existing satellite phones standards, GMR-1 and GMR-2 are
analysed. In result of this survey leads to the fact that the GMR-1
cipher can be considered a proprietary variant of the GSM A5/2
algorithm, whereas GMR-2 cipher is a new design. The stream
ciphers of two existing satellite phones systems are weaker than
what is state-of- the-art in symmetric cryptography.
Keywords— Cryptanalysis, Geostationary Earth Orbit (GEO)
mobile radio interface (abbr. GMR), GSM, Linear shift feedback
register (abbr. LFSR), Mobile security, Satellite phones (abbr.
Satphones)
frequencies for communication i.e. forward link and
reverse link. Radio energy always lost over distance,
so mobile must stay near to the cell site or base
station.
However, it is not always practically possible to
be close to a cell site and there are many areas
where no coverage is possible like workers on an
oil rig or on board of a ship, researchers on a field
trip in a desert or near the poles, people living in
remote areas or areas that are affected by a natural
disaster, or certain military and governmental
systems.
To
overcome
this
limitation,
satellite
telecommunication systems were introduced that
Cellular is one of the fastest growing and most
provide telephony and data services based on
demanding telecommunications applications. Today,
telecommunications satellites. In such systems, the
it represents a continuously increasing percentage
mobile handset (typically called satellite phone)
of all new telephone subscriptions around the world.
communicates directly with satellites in orbit and
Currently there are more than 50 million cellular
thus coverage can be provided without the need of
subscribers worldwide. It is forecasted that cellular
an infrastructure on the Earth’s surface.
systems using a digital technology will become the
universal method of telecommunications. The
II. BACKGROUND
concept of cellular service is the use of low-power
transmitters where frequencies can be reused within
At this point, there are two satphone standards
a geographic area.
that were both developed in the past few years:
Throughout
the
evolution
of
cellular
telecommunications, various systems have been
1. Geostationary Earth Orbit (GEO) Mobile
developed without the benefit of standardized
Radio Interface (GMR-1) is a family of
specifications. This presented many problems
ETSI standards that were derived from the
directly related to compatibility, especially with the
terrestrial cellular standard GSM. In fact,
development of digital radio technology. Hence, a
the specifications of GMR are an extension
system with high capacity, high transmission
of the GSM standard, where certain aspects
quality with total mobility was developed known as
of the specification are adjusted for
Global system for mobile communication (GSM).
satphone settings [1].
In cellular phones, each mobile uses a separate,
temporary radio channel to talk to the cell site. The
2. The GMR-2 family is also an ETSI standard
cell site talks to many mobiles at once, using one
that is even closer to GSM. It deviates from
channel per mobile. Channels use a pair of
the GMR-1 specifications in numerous ways
I. INTRODUCTION
ISSN: 2231-5381
http://www.ijettjournal.org
Page 153
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
Fig. 3 Layout of a geostationary orbit telephone network [9]
A. Satellite Telecommunication system
Fig. 1 The Thuraya SO-2510 phone [1]
Fig. 2 The Inmarsat IsatPhone Pro [1]
[1]; most notably the network architecture is
different.
There are two popular satellite phones that
represent typical handsets:
A geostationary orbit telephone network consists
of a set of satellites and terrestrial gateway/control
stations, as depicted in Fig. 3 [9]. Gateway stations
provide the connectivity to any tethered networks,
e.g., telephone calls to a landline are forwarded to
the public switched telephone network (PSTN).
Satellite operators also run additional control
facilities for maintenance and configuration
purposes.
Both types of transmissions employ conventional
wavelength (C-Band) signals. Each satellite serves
a specific region, with each region being further
subdivided by several spot beams. This mainly
allows transferring multiple signals from different
regions on equal frequencies. The system uses long
wavelength transmission (L-Band) for spotbeams.
B. Satellite Telephone Architecture
In general, the architecture of satellite phones is
similar to the architecture of cellular phones [11].
Both types of phones have to perform a lot of signal
processing due to speech processing and wireless
1. The Thuraya SO-2510 phone implements communication, thus they typically ship with a
the GMR-1 standard. It was released in dedicated digital signal processor (DSP) for such
November 2006 and one of the most popular purposes. DSPs are also suitable for executing
cryptographic algorithms, which makes DSP code a
handsets sold by Thuraya shown in Fig. 1.
prime candidate for holding GMR cipher code.
2. The Inmarsat IsatPhone Pro implements the
The core of the phone is a standard
GMR- 2 standard and supports functions
microprocessor
(usually an ARM-based CPU) that
such as voice telephony and text/email
messaging. It was introduced in June 2010 serves as the central control unit within the system.
This CPU initializes the DSP during the boot
by Inmarsat as shown in Fig. 2.
process. Furthermore, both processors share at least
parts of the main memory or other peripheral
Here is the necessary background information to devices to provide inter-processor communication.
understand the basics of satellite telephone systems,
Satellite telecommunication systems are related
and the architecture of the mobile handsets.
to terrestrial cellular systems, the GMR-1 standard
ISSN: 2231-5381
http://www.ijettjournal.org
Page 154
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
is for example derived from the GSM standard.
Briceno et al. published in 1999 the implementation
of the GSM A5/1 and A5/2 algorithms, which they
apparently obtained by reverse engineering an
actual GSM handset [12].There has been lots of
work on the security analysis of the ciphers used
within GSM [13]–[21]. A5-GMR-1 is related to the
A5/2 algorithm used within GSM, but the
configuration of the cipher is different.
III. SECURITY ANALYSIS OF GMR-1
A satphone Thuraya SO-2510 was used as an
Fig. 4 The OMAP1510 [22]
example of GMR-1 standard by investigators. The
inventors didn’t analyze any other GMR-1 satellite
to spot cryptographic terms are found in the
phone, but since the protocol is standardized they
literature
[2]–[4].
were confident that this analysis results apply to all
other GMR-1 phones as well.
B. Structure of the Ciphers
The over-the-air privacy of GSM telephone
conversations is protected by the A5 stream cipher.
A. Hardware
The Thuraya SO-2510 runs on a Texas This algorithm has two main variants: The stronger
Instruments OMAP 1510 platform. The core of the A5/1 version is used by about 130 million
platform is an ARM CPU along with a TI C55x customers in Europe, while the weaker A5/2
DSP processor. This information can be taken from version is used by another 100 million customers in
corresponding strings in the binary and from other markets. The approximate design of A5/1 was
pictures of the actual components soldered on the leaked in 1994, and the exact design of both A5/1
circuit board [22]. Fig. 4 shows a high-level and A5/2 was reverse engineered by Briceno from
overview of the architecture.The DSP code can be an actual GSM telephone in 1999 [12].
located in either the on-chip SARAM (which holds
96 KB of memory) or in the SRAM, which is 1) A5/1 Stream Cipher: A GSM conversation is sent
as a sequence of frames every 4.6 millisecond.
accessed through the memory interface controller
Each frame contains 114 bits representing the
(MIC). The official OMAP1510 documents suggest
digitized A to B communication, and 114 bits
predefined memory regions to be used by the
representing
the
digitized
B
to
A
ARM-MMU for mapping this memory area [22].
communication. Each conversation can be
encrypted by a new session key K. For each
Since GMR-1 is derived from GSM so, the cipher
frame, K is mixed with a publicly known frame
algorithm employed in GMR-1 bears at least some
counter Fn, and the result serves as the initial
resemblance to the A5/2 cipher from GSM. Due to
state of a generator which produces 228 pseudo
the nature of this algorithm (e.g., the presence of
random bits. These bits are XOR'ed by the two
feedback shift registers), the cipher code is bound to
parties with the 114+114 bits of the plaintext to
contain a lot of bit shift and XOR operations. Hence,
produce the 114+114 bits of the ciphertext.
an analysis tool within IDA Pro was implemented
that counts the occurrences of such instructions in
A5/1 is built from three short linear feedback
each function and sets them in relation to the total
number of instructions in the function. Similar ideas shift registers (LFSR) of lengths 19, 22, and 23 bits,
which are denoted by R1; R2 and R3 respectively.
The rightmost bit in each register is labelled as bit
zero.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 155
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
Fig. 5 A5/1 Stream Cipher [15]
The taps of R1 are at bit positions 13, 16, 17, 18;
the taps of R2 are at bit positions 20, 21; and the
taps of R3 are at bit positions 7, 20, 21, 22 shown
Fig. 5 [15]. When a register is clocked, its taps are
XOR’ed together, and the result is stored in the
rightmost bit of the left-shifted register. The three
registers are maximal length LFSR's with periods
219 −1, 222 −1, and 223 −1, respectively.
3) A5-GMR-1 Cipher: The cipher used in GMR-1 is
a typical stream-cipher. Its design is a modification
of the A5/2 cipher [14], [19], which is used in GSM
networks. The cipher uses four linear feedback shift
registers (LFSR) which are clocked irregularly
named as R1, R2, R3 and R4; Fig. 7 [1] shows the
schematic of the structure. Comparing A5/2 and
A5-GMR-1; for most registers the feedback
polynomials and also the selection of input taps for
They are clocked in a stop/go fashion using the the non-linear majority function M with
following majority rule: Each register has a single
M: {0, 1}3 → {0, 1}
“clocking" tap (bit 8 for R1, bit 10 for R2, and bit
x → x2 x1 ⊕ x2x0 ⊕ x0x1
10 for R3); each clock cycle, the majority function were changed, Table-I shows the details [1]. Also,
of the clocking taps is calculated and only those the positions of the bits that are XOR’ed with the
registers whose clocking taps agree with the respective outputs of the majority functions are
majority bit are actually clocked. At each step either different. For curious reasons, all feedbacktwo or three registers are clocked, and that each polynomials have five polynomials.
register moves with probability ¾ and stops with
probability ¼ [16].
TABLE I
2) A5/2 Stream Cipher: The operation of A5/2 cipher
is similar to A5/2 only structural differences are
there as shown in Fig. 6 [14].
CONFIGURATIONS FOR THE LFSRS [1]
Size
Feedback Polynomial
Taps
Final
R1
19
x19 +x18 +x17+x14+1
1,6,15
11
R2
22
x22 +x21 +x17+x13+1
3,8,14
1
23
22
19
18
R3
23
x +x +x +x +1
4,15,19
0
R4
17
x17+x14+x13+x9+1
1,6,15
-
Fig. 6 A5/2 Stream Cipher [14]
ISSN: 2231-5381
http://www.ijettjournal.org
Page 156
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
Fig. 7 A5-GMR-1 Cipher [1]
Clocking single LFSR means evaluating its
respective feedback polynomial and using the
resulting bit to overwrite the leftmost position of
the LFSR after shifting its current state by one bit to
the right. When the cipher is clocked for the l-th
time with irregular clocking active, the following
happens:
in a certain way. However, the specific mapping is
not relevant in the remainder.
3) I is clocked into all four registers, i.e., R1 is
clocked and one bit of I is xor’ed with the
feedback-bit, R2 is clocked and xor’ed with the
same bit of I, etc. While doing this, no irregular
clocking takes place, i.e., the taps of R4 are not
evaluated.
(1) The irregular clocking component C evaluates 4) The least-significant bits of all four registers are
all taps of R4, the remaining registers are clocked set to
accordingly, i.e.,
1, i.e., R1,0 = R2,0 = R3,0 = R4,0 = 1.
a) Iff M (R4,1, R4,6, R4,15) = R4,15, register R1 is
Now the cipher is switched into generation mode
clocked.
and clocked for 2∙m times, generating one bit of
b) Iff M (R4,1, R4,6, R4,15) = R4,6, register R2 is keystream at a time. Where, 250 ≤ l ≤ 250 + 2∙m is
clocked.
the number of irregular clocking and N the framec) Iff M (R4,1, R4,6, R4,15) = R4,1, register R3 is number that was used for initialization.
clocked.
Experimentally, there are several variants of this
(2) The taps of R1, R2, and R3 are evaluated and one attack possible on different channels, even more so
bit of keystream is output accordingly, i.e.,
when multiple frames are used. These attacks have
Zl = M (R1,1, R1 6, R1,15) ⊕ M (R2,3, R2,8, R2,14) ⊕ a lower computational complexity but require more
M (R3,4, R4,15, R3,19) ⊕ R1,11 ⊕ R2,1 ⊕ R3,0 is ciphertext [1].
generated.
(3) R4 is clocked.
IV. SECURITY ANALYSIS OF GMR-2
A5-GMR-1 is operated in two modes,
initialization and generation mode. Running the
To obtain the code responsible for implementing
cipher in former mode includes setting the initial
the cipher according to the GMR-2 standard, the
state of the cipher, which is done in the following
investigators analyzed the latest publically available
way:
firmware image of the Inmarsat IsatPhone Pro,
1) All four registers are set to zero.
which was released in June 2010. Only Inmarsat
2) A 64-bit initialization value I is computed by
handsets support the GMR-2 standard at this point
xor’ing the 19-bit frame-number N and 64-bit key K
and these results apply to all satphones.
ISSN: 2231-5381
http://www.ijettjournal.org
Page 157
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
A. Hardware
The Inmarsat IsatPhone Pro runs on an analog
devices LeMans AD6900 platform. The core of the
platform is an ARM 926EJ-S CPU, which is
supplemented by a Blackfin DSP as shown in Fig. 8
[21]. This architecture can be deduced from plain
text strings within the firmware image. An
operating system function that returns information
on the underlying hardware of the system and this
function return the platform name as a static string.
Both CPUs connect to the same bus interface,
which is attached to the system RAM, any external
memory that might be present as well as the shared
peripherals (e.g., SIM card, keypad, SD/MMC slots,
etc.). The system is initialized by the boot ROM
code of the ARM CPU. The ARM CPU then has
the task to initialize the DSP for further operations.
However, a correct mapping of the DSP code and
data section is required since correct references in
subroutine calls or string references from within the
code are crucial to disassemble and understand the
code Therefore, inventors reverse-engineered [1]
the very first initialization routines in the Blackfin
code, which turned out to hold a DSP memory
initialization routine that builds the DSP code and
data from the firmware image into another memory
region (presumably RAM). In the firmware image,
the actual DSP code and data regions are stored as
multiple chunks of data that are either uninitialized
(i.e., filled with null bytes) or initialized. Initialized
blocks are repeated consecutively in memory
multiple times. The Meta information for each data
chunk (i.e., chunk type, block length, etc.) is
pretended as a header. The first chunk starts at a
fixed address and each header also contains an
offset to the next chunk in memory. As no
encryption or compression for the DSP code and
data is used within the firmware, the corresponding
firmware regions can be extracted directly. This
information was helpful to investigators to
reconstruct the actual memory layout of the DSP in
RAM. The DSP code also contains plenty of
demodulation and speech encoding algorithms that
naturally bear some resemblance to cryptographic
algorithms in that they make extensive use of
mathematical operations.
ISSN: 2231-5381
Fig. 8 The LeMans AD6900 Platform [21]
In order to further narrow down the relevant code
parts, inventors created [1] the forward call graphs
of all nine thread routines and computed the
intersection of all the nodes in the graphs. The idea
behind this approach is that in every case the stream
cipher has to be called eventually, regardless of the
actual purpose of the thread. The intersection
greatly reduces the candidate set of code regions
from about 140 subroutines to only 13 functions
shared by all threads (not including further nested
subroutine calls). In the last step, they analyzed
these remaining functions manually. At first, this
analysis revealed the subroutine which encodes the
TDMA-frame counters into a 22-bit frame-number.
Shortly after this function, the actual cipher code is
called. The algorithm itself, as explained in the next
section, is completely dissimilar to A5/2, which
also explains why one is not able to spot the cipher
with the same methods as in the analysis of GMR-1.
B. Structure of the Cipher
After having obtained the cipher’s assembler
code, they found a more abstract description in
order to enhance intuitive understanding of its way
of functioning. We arbitrarily chose to split the
cipher into several distinct components which
emerged after examining its functionality.
http://www.ijettjournal.org
Page 158
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
are known to the attacker, it is possible to recover a
session key with a moderate computational
complexity, allowing the attack to be easily
performed with a current PC.
The cipher code inside the firmware was not
specifically protected against reverse-engineering
efforts. The difficulty in reconstructing both
algorithms thus stems from the inherent complexity
in analyzing large pieces of code. If software
Fig. 9 The A5-GMR-2 Cipher [1]
engineers had employed state-of-the art obfuscation
The cipher uses a 64-bit encryption-key and schemes, the analysis could have been at least
operates on bytes. When the cipher is clocked, it complicated
significantly.
Furthermore,
generates one byte of keystream, which was implementing the ciphers in hardware would also
denoted by Zl, where l represents the number of hamper reverse-engineering.
clocking. The cipher exhibits an eight byte state
REFERENCES
register S = (S0, S1, . . . , S7)28 and three major
components we call F, G, and H. Additionally, [1] B. Driessen, R. Hund, C. Willems, “Don’t Trust Satellite Phones: A
there is a 1-bit register T that outputs the so-called Security Analysis of Two Satphone Standards”, in IEEE Symposium on
Security and Privacy, 2012.
“toggle-bit”, and a 3-bit register C that implements
a counter. Figure 9 provides a schematic overview [2] Z. Wang, X. Jiang, W. Cui, X. Wang, and M. Grace, “ReFormat:
Reverse Engineering of Encrypted Messages,” in European
of the cipher structure. The detailed cryptanalysis is Automatic
Symposium on Research in Computer Security (ESORICS), 2009.
given in [1].
[3] J. Caballero, P. Poosankam, C. Kreibich, and D. Song, “Dispatcher:
Enabling Active Botnet Infiltration using Automatic Protocol ReverseEngineering,” in ACM Conference on Computer and Communications
Security (CCS), 2009.
V. CONCLUSIONS
Though there is a large body of work related to
the security aspects of the GSM, there had been no
scientific or other publicly available investigation
of the security mechanisms employed by the two
existing satphone standards, GMR-1 and GMR-2.
Contradictory to the practice recommended in
modern security engineering, both standards rely on
proprietary algorithms for voice encryption. Even
though, it is impossible for us to decide whether
this is due to historic developments or because of
secret algorithms to provide a higher level
“security”.
GMR-1 relies on a variant of the GSM cipher
A5/2, for which serious weakness have been
demonstrated for more than a decade. The GMR-2
cipher, which appears to be an entirely new stream
cipher, shows even more serious cryptographic
weaknesses. In the case of GMR-1, an attacker can
mount a successful ciphertext-only attack. With
respect to the GMR-2 cipher, in a known-plaintext
setting where approximately 50–65 bytes plaintext
ISSN: 2231-5381
[4] F. Gröbert, C. Willems, and T. Holz, “Automated Identification of
Cryptographic Primitives in Binary Programs,” in Symposium on Recent
Advances in Intrusion Detection (RAID), 2011.
[5] D. Wright, “Reaching out to remote and rural areas: Mobile satellite
services and the role of Inmarsat,” Telecommunications Policy, vol. 19, no. 2,
pp. 105 – 116, 1995.
[6] D. Matolak, A. Noerpel, R. Goodings, D. Staay, and J. Baldasano, “Recent
progress in deployment and standardization of geostationary mobile satellite
systems,” in Military Communications Conference (MILCOM), 2002.
[7] ETSI, ETSI TS 101 376-3-2 V1.1.1 (2001-03); GEO-Mobile Radio
Interface Specifications; Part 3: Network specifications; Sub-part 2: Network
Architecture; GMR-1 03.002, Std., 2001.
[8] G. Maral and M. Bousquet, Satellite Communications Systems: Systems,
Techniques and Technology, 5th ed. John Wiley & Sons, 2009.
[9] Jim Geovedi and Raoul Chiesa, “Hacking a Bird in the Sky,” in
HITBSecConf, Amsterdam, 2011.
[10] ETSI, ETSI TS 101 376-3-9 V1.1.1 (2001-03); GEO-Mobile Radio
Interface Specifications; Part 3: Network specifications; Sub-part 9: Security
related Network Functions; GMR- 1 03.020, Std., 2001.
[11] H. Welte, “Anatomy of contemporary GSM cellphone hardware,” 2010.
[Online].
Available:
http://laforge.gnumonks.org/papers/gsm_phoneanatomy-latest.pdf
[12] M. Briceno, I. Goldberg, and D. Wagner, “A pedagogical
implementation of the GSM A5/1 and A5/2 “voice privacy” encryption
http://www.ijettjournal.org
Page 159
International Journal of Engineering Trends and Technology (IJETT) – Volume 10 Number 3 - Apr 2014
algorithms,” 1999, originally published at http://www.scard.org, mirror at
http://cryptome.org/ gsm-a512.htm.
[13] J. D. Golic, “Cryptanalysis of alleged A5 stream cipher,” in Proceedings
of the 16th annual international conference on Theory and application of
cryptographic techniques, ser. EUROCRYPT’97. Springer-Verlag, 1997, pp.
239–255.
[14] S. Petrovic and A. Fuster-Sabater, “Cryptanalysis of the A5/2 Algorithm,”
Cryptology ePrint Archive, Report 2000/052, Tech. Rep., 2000,
http://eprint.iacr.org/.
[15] E. Biham and O. Dunkelman, “Cryptanalysis of the A5/1 GSM Stream
Cipher,” in Indocrypt, 2000.
[16] A. Biryukov, A. Shamir, and D. Wagner, “Real Time Cryptanalysis of
A5/1 on a PC,” in Fast Software Encryption (FSE), 2000.
[17] P. Ekdahl and T. Johansson, “Another Attack on A5/1,” IEEE
Transactions on Information Theory, vol. 49, no. 1, 2003.
[18] A. Bogdanov, T. Eisenbarth, and A. Rupp, “A Hardware- Assisted
Realtime Attack on A5/2 Without Precomputations,” in Cryptographic
Hardware and Embedded Systems (CHES), 2007.
[19] E. Barkan, E. Biham, and N. Keller, “Instant Ciphertext-Only
Cryptanalysis of GSM Encrypted Communication,” Journal of Cryptology,
vol. 21, March 2008.
[20] K. Nohl and C. Paget, “GSM: SRSLY?” 2009, 26th Chaos
Communication Congress.
[21] Jose Fridman, Analog Devices. How to optimize H.264 video decode on
a
digital
baseband
processor.
[Online].
Available:
http://www.eetimes.com/General/DisplayPrintViewContent?contentItemId=4
016202
ISSN: 2231-5381
http://www.ijettjournal.org
Page 160