Cybersecurity researchers in Europe claim to have found a vulnerability in a phone encryption algorithm that could have allowed attackers to eavesdrop on some data traffic for more than two decades.
Researchers from Germany, France, and Norway published a paper on Wednesday claiming that the vulnerability affects the GPRS (or 2G) mobile data standard.
GPRS remains a fallback for data connectivity in some countries, despite the fact that most phones now use 4G or even 5G standards.
According to the researchers, the security flaws in the GEA-1 algorithm seemed unlikely to have occurred by chance. Instead, it was most likely designed with the goal of providing a “backdoor” to law enforcement agencies and complying with regulations prohibiting the export of strong encryption tools.
Christof Beierle of the Ruhr University Bochum in Germany, a co-author of the paper, said “According to our experimental analysis, having six correct numbers in the German lottery twice in a row is about as likely as having these properties of the key occur by chance,”
The GEA-1 algorithm was supposed to be taken out of mobile phones by 2013, but the researchers discovered it in current Android and iOS smartphones.
According to them, mobile phone manufacturers and standards organizations have been told about the flaw and also have been given instructions to fix it.