A Practical Ciphertext-Only Attack on GMR-2 System

We present a ciphertext-only attack on the GEO-Mobile Radio Interface-2 (GMR-2) system for the first time. The GMR-2 is a satellite communication standard adopted by Inmarsat, a British satellite telecommunications company that offers global mobile services. The best publicly known attack on GMR-2 is a known plaintext attack called the inversion attack, proposed by Hu et al. in 2018. It recovers the 64-bit session key in 20 milliseconds when one keystream frame (15-byte) is available. Our contributions are twofold. First, we improve the previous inversion attack using a novel approach, pre-filtration. With our improvement, we can recover the session key in 4.5 milliseconds and 0.62 milliseconds using one and two keystream frames, respectively. Second, we propose a practical ciphertext-only attack on the GMR-2 by exploiting a vulnerability in the CIPHERING MODE COMMAND message type. We find that this message type only has $2^{11}$ degrees of freedom despite being transmitted in a 184-bit format. Additionally, we find that two or more keystream frames can be derived from a single message in four of the six channels through which this message type may be transmitted. Assuming the CIPHERING MODE COMMAND message type is transmitted using one of these four channels, we can iteratively guess the message and conduct a known plaintext attack to recover the session key. Thanks to the speed improvement achieved by our pre-filtration method, our ciphertext-only attack can recover the session key in 1.3 seconds.