Why did the NSA not report this flaw to NATO before this became a standard? The NSA had differential cryptanalysis before anyone else. It is odd that they did not catch/report the problem.

In practice this isn’t a very useful attack. You need hours of encrypted and unencrypted data and you can then only decrypt the encrypted transmissions of the targeted node.

The NSA if it knew about it most likely did disclosed the vulnerability, it was just deemed not significant enough to redesign, manufacture and re-issue millions of new radios.

These radios aren’t rated for secret communications anyhow. By the time you manage to decrypt what you want the information would likely be stale since all of the information passed over radios will be tactical in nature at best.

There are still other defenses like spread spectrum transmission and frequency hopping that make intercepts harder. The main threat model against radios isn’t actually message interception but rather basic SigInt that would be able to detect, identify and track transmissions.

On the battlefield that’s the most useful intelligence you’ll get especially during war time.

Any interception beyond that would take days if not weeks to be properly analyzed and disseminated this isn’t something that it done on a regiment or division levels.

Thank you for this insightful answer.

Likely a honey trap. NATO’s adversaries can waste budget listening on this leaving the real comms unchecked, plus the advantage of throwing some false comms in the event of war.

Could they have thought it was NOBUS? https://en.m.wikipedia.org/wiki/NOBUS

I agree. I find it incredibly difficult to believe this wasn’t a known issue until now. The NSA/CIA have unbelievable computing and analysis power available.

Anyway, IDRTFA, but I hope this was at least reported before the release of the talk. This sort of thing could get a lot of people killed.

> This sort of thing could get a lot of people killed.

NATO is not at war. People aren't dying.

And I wouldn't be surprised if it's at least partly used to "leak" info to other state actors. Part of the cold war not turning hot was the mutual understanding of what went on in each block's military due to espionage. Without that, things could easily misinterpreted (and almost did a couple times like with able archer, which emphasizes the importance of this).

Some things could not be shared officially but leaving it out in a not-fully-unbreakable form might well have been a way of hinting the enemy about intentions.

>NATO is not at war. People aren't dying.

Ahem, NATO countries are assisting Ukraine in drone and missile attacks on Russia as we speak and foolishly floating the idea of adding Ukraine to NATO. Russian leadership has repeatedly said stuff along the lines of "Make no mistake, we are at war with NATO because Ukraine alone doesn't have the capabilities to do what it's been doing to attack us." So yes, NATO is essentially at war.

> foolishly floating the idea of adding Ukraine to NATO

Nobody in NATO is seriously suggesting Ukraine be added to NATO, especially right now.

> They have been floating the idea

Please be more specific than ‘they’. I’ll also remind you that journalists do not make policy, and policymakers don’t give a shit about journalists unless they’re trying to plant a story beneficial to them.

> "Some" of NATO is clearly on board with it. The article says that the support must be unanimous, but I think we know who really runs NATO. At any rate, "some" of NATO is not "nobody in NATO" as you said. I could swear I hear these people talk about the issue every month or so.

From the article you linked, emphasis mine:

‘While eastern European countries say some sort of a road map should be offered to Kyiv at a NATO summit in Vilnius on Tuesday and Wednesday, the United States and Germany are wary of any move that might take the alliance closer to war with Russia.’

It doesn’t matter if Poland and Lithuania want Ukraine in NATO, lmao. The US is NATO, and they’re not going to admit a country into NATO that is currently at war with Russia, it would immediately trigger Article V… which would either destroy NATO, or the world.

Even if Ukraine won the war and Russia retreated, there is far too much corruption in Ukraine for it to seriously be considered for NATO and EU at this point in time.

From what I read elsewhere, it was reported to NATO and NATO did not respond.

Because they

  A) are not that capable and did not know about it 
  
  B) knew about it, but sat on it for their own egoistical reasons
 

Both are rather a bad look

Or C) Blue team analysis is not offered the same resources and interest as Red team analysis.

There’s also the “don’t ascribe to maliciousness what can be caused by bureaucracy“

What you describe in C falls under A) are not that capable and did not know about it - investing all into offence means you're not capable in defense. Making sure the encryption of the major military alliance you're part of doesn't fall apart seems like a serious miss, no matter how we slice it. Be the reason bureaucratic, malicous or financial.

There're more options, but those require multiple nation states to work together in a conspiracy (everyone in the know) and all others to be incompetent. Given just publicly known facts and Occam's razor…

being part of NATO, can't they just get a copy of the keys from somebody? or is it a case of "they might turn on us, better keep an ace"?

Seems less likely to happen than, well, what we have now. Russia has a lot of good mathematicians btw.

NATO Keys are distributed to every NATO member through distribution agencies. A good chunk of them (and the algorithms and cipher equipment) are produced by the US and shared (with some limitations) with NATO. I don't know the scope of algorithm sharing but I believe there are some limitations for NATO access to US-shared algorithms.

It's probably a case of 'nobody cares too much'. The standardization process is very long and the industry probably had already put them into their equipments.

ALE is not used that much and from what I can gather manual frequency establishment is often preferred. I'm not sure what the actual operational impact of this DoS would be, and if some spoofing is possible, but the actual communication is encrypted by different protocols depending on the type of comms (RATT, IP-like, Voice) so actually deciphering comms wouldn't be possible.

See Jerry Proc's website (https://jproc.ca/crypto/) for background knowledge.

The first step in being discrete is being discrete.

That is to say, if you want to crack NATO communiques your first step is to not call them up and ask for the goods.

Whether this is ethically good or not is tangential and an exercise left to each reader.

So you need 2 hours of both encrypted and unencrypted data at same time to make this attack work, is this feasible? And if you just flip the switch on devices to use more bits in the encryption the attack becomes unfeasible. Piss poor that NATO never replied to them.

They probably replied but:

- anything serious is probably highly classified as is everything relating to COMSEC.

- The standard seems to be a US-one used by NATO (MIL-STD as opposed to a STANAG).

- I know ALE is used for link establishment but maybe it's going to be superseded in the military for the next-gen radio equipment?

If you know the call signs you would get exactly that, wouldn't you? (I watched the talk only half attentively)

Shouldn't actual session keys rotate all the time, to prevent exactly that?

For those without a free hour to watch, here's the slide deck?

I am not a cryptography or digital radio expert, so grain of salt and all that.

Slide 14 shows real world feasibility, I think it's safe to say that while theoretically possible it's unlikely that this creates a significant real world issue. One bit of info I don't know - how long is a set of exchanged keys used for in most situations?

https://tosc.iacr.org/index.php/ToSC/article/view/9856/11598

Yeah I was looking for that. When I was in basic training the security of radio crypto was described as maybe a week in the field.

Any attack taking years isn't going to be operationally relevant.

I suspect this protocol was developed basically as a computational complexity trade off to keep within those sorts of boundaries.

What are all these ccc.de links getting posted recently? Was there some sort of hacker convention?

38c3, the 38th Chaos Communication Congress, is currently running.

https://events.ccc.de/congress/2024/infos/startpage.html

Yes, the root post is here: https://news.ycombinator.com/item?id=42537631

One of the greater hacker conferences in the year. (I am a huge fan of CCC and all events they do)

Each year, between Christmas and New Years. https://en.wikipedia.org/wiki/Chaos_Communication_Congress

Yes, the Chaos Computer Club in Germany. 27-30 Dec (So currently ongoing).

Yup, europe’s largest.

Sounds like this isn't anything new? The cited papers are from 2021, 2022, and 2023.

It's an evolution of said papers and AFAIU improves the attack to a level that makes it executable.

The attack is known since 2022.

https://github.com/dansarie/halfloop/

https://tches.iacr.org/index.php/ToSC/article/view/9856

video no longer available.

It seems all videos from https://media.ccc.de/ for 2024 aren't, a technical problem maybe

Uhh, Charlie as the eavesdropper instead of Eve. Please do not reinvent industry standard terms.

Best case would be: they see the the analysis and say "fuck - that stuff is good. Not worth spending a second trying to analyze and decrypt it."