Sunday, June 20, 2021

GSM data security in GPRS 2G

Mobile carriers have been phasing out older mobile technologies and frequencies. This makes older service using GPRS 2G less prevalent. One form of attack is to purposefully force downgrade to the older 2G service, which has weaknesses. This paper of June 2021, Cryptanalysis of the GPRS Encryption Algorithms GEA-1 and GEA-2, describes how the 64 bit security is effectively only 40 bit. The authors speculate the standard was purposefully weakened.

There is no practical reason to allow modern phones to use 2G service, so users should disable this service. Android users can typically look in settings to turn off 2G service.

This leads to the obvious question of what vulnerabilities may exist in the newer 4G and 5G standards. Many people are beginning to use apps such as Signal which runs it's own security on top of whatever communications are being used (4G, 5G, or wifi).

While you are in Android settings, you may want to review the Google setting which allows for silent install of movement tracking applications. It is not clear if setting "COVID-19 Exposure Notifications" to off prevents silent install of the tracking apps, or if it allows the download but does not make the app visible to the user. Completely disabling installs will likely require stopping of Google Play Services.