Overview
.jpg)
A few months ago Dutch newspaper de Volkskrant published a very interesting article describing how, according to secret Iranian documents obtained by the newspaper, the Islamic Revolutionary Guard Corps (IRGC) was attempting to procure encrypted, non-western satellite phones due to increasing distrust of Iranian communications infrastructure in the light of the Iran-Israel war.
In this series of articles, we will delve into the previously unexplored Tiantong-1 satellite system, Huawei's Mate 60 Pro smartphone, and a general overview of satphone security.
According to the Volkskrant article the IRGC was looking specifically for satphones working with China’s Tiantong-1 satellite system, such as the Huawei Mate 60 Pro smartphone. Supposedly, 50 such devices had already been delivered through Pakistan.
This article is the second report this year of Tiantong-based satphones being used in attempts to avoid surveillance of conventional cellular telco infrastructure, with both reports mentioning a Pakistani connection. On April 22nd, an attack in Pahalgam killed 26 tourists as part of a long-running separatist insurgency in Jammu and Kashmir. The attack was initially claimed and later disavowed by an offshoot of the Pakistan-based Lashkar-e-Taiba (LeT) militant group. Indian accusations of Pakistani support for seperatist militants and Pakistani denials and counter-accusations eventually led to an ongoing crisis and brief military conflict.
Interestingly, Indian media [1] [2] reported that Indian intelligence had detected Huawei Tiantong-1 smartphones in the vicinity of the attack on the day it occurred. While the reporting doesn’t explicitly state how these phones were detected, the wording suggests the phones were not confiscated physically but detected through some sort of Signals Intelligence (SIGINT) capability. The reporting also cites unnamed Indian experts claiming Tiantong-based satphones could potentially bypass Indian cellular and satcom surveillance systems and also maintain communications during network shutdowns.
Another cited advantage of the Huawei Tiantong-1 smartphones for covert operations is that they are visually indistinguishable from regular smartphones. This contrasts with conventional satphones which have bulky features and external antennas and thus blend in better in civilian environments. This is particularly relevant in India, which has banned unauthorized satphone usage since 2012 after repeated usage of Thuraya and Iridium satphones by militants (such as during the 2008 and 2011 Mumbai attacks). According to media reporting, Indian authorities consider satphones a high risk due to the complexity of real-time tracking and difficulty of obtaining Call Detail Records (CDR) from foreign-owned satellite operators. Indeed, according to U.S. diplomatic cables leaked by Wikileaks the UAE-based Thuraya company had not released its records to any agency from Pakistan, India, or the US in the wake of the 2008 Mumbai attacks and was considered unlikely to do so without government pressure. Several other countries (including China, Russia, Bangladesh, Chad, and parts of Pakistan and Nigeria) have also banned or restricted satphones citing similar security concerns.
Comprehensive details on Tiantong (TT) are scarce. Tiantong-1 (天通一号) is China’s first self-developed and self-built mobile communications satellite system, envisioned as an alternative to foreign satcom infrastructure such as Inmarsat or Starlink and part of China’s Belt and Road Initiative. It is developed by China Aerospace Science and Technology Corporation (CASC) and operated through subsidiary China SatCom, with telecommunication operations handled by China Telecom. Its envisioned usage ranges from communications in areas without cellular coverage or during emergencies to (I)IoT applications such as power system monitoring.
The space segment currently consists of 3 geostationary orbit satellites (the first of which launched in 2016), with some reports mentioning a planned 4th satellite. Together current coverage reportedly accounts for China, Asia-Pacific, Middle East and parts of Africa. TT satellites are built on the DFH-4 (Dongfanghong-4) platform, China’s 3rd generation high-capacity communication satellite bus. The satellites have a user communications payload in the S-band and ground station communications payloads in the Ku-band and C-band. The user communications capabilities support voice, short message, and data transfer capabilities with rates between 9.6 and 384 kbps. TT equipment typically reports S-Band frequency ranges TX 1980MHz-2010MHz, RX 2170MHz-2200MHz.
The ground segment is sparsely documented but is said to consist of the usual elements such as ground control stations for telemetry, tracking, and command (TT&C) and several gateway stations connecting the SATCOM network with various other communication networks (PTSN, PLMN, internet, etc.).
Finally, there are the end-user devices. While by no means exhaustive, the following devices were found to have Tiantong-1 support:
Most reports indicate no dedicated Tiantong SIM cards are required and existing cellular SIM cards can be used (provided they have Tiantong services enabled) since the system is intended to unify communication services for seamless switching.
There is almost no conclusive information regarding the underlying technology used for TT’s satphone services. However with a bit of digging one can find two recent academic papers [1] [2], both of which describe Tiantong as using “2G GMR” (which they use as a confusing synonym for GMR-1 3G). A 2024 report from the “8th Space Information Networks Symposium” describes Tiantong as a GMR-2 system. Finally technical details on the MLink MS150 narrow-band GMR satcom chip [1] [2] mentions it supports both Tiantong and (known GMR-based) Thuraya in L-/S-Band, suggesting the former is GMR based as well. There are also some additional mentions [1] [2] of 3GPP IoT NTN standard voice and data services being offered through TT’s S-Band.
GEO-Mobile Radio Interface (GMR) is an ETSI standard for satphones heavily modelled after GSM. There are two GMR variants, GMR-1 (with flavors GMR-1, GMPRS, GMR-1 3G) used by Thuraya and GMR-2 used by Inmarsat/IsatPhone. TT is documented to operate in the S- and C-bands which matches GMR-1’s operation in the L-/S- and C-/Ku-Bands but not GMR-2’s operation in the L- and C-Bands only. Some further sleuthing (using Chinese search terms this time around) leads to this patent application which mentions Tiantong-1 is based on GMR-1 3G. Other Chinese sources indicate TT is partially based on “the 3GPP standard” in the context of “LTE standard for satellite communication systems”. Given that GMR-1 3G is (where applicable) derived from terrestrial digital cellular 3GPP standards and supports access to 3GPP core networks, this makes sense and it seems quite likely Tiantong’s communications technology is (at least partially) based on GMR-1 3G. The Mexsat and TerreStar communications satellite systems are also based on GMS-1 3G.
It is important to understand the relation between the GMR-1 standards and terrestrial digital cellular standards. GMR (release 1) specifications are derived from GSM (phase 2) and introduce GMR-1. The GMR (release 2) specifications subsequently add packet mode services through the introduction of GEO-Mobile Packet Radio Service (GMPRS) which are derived from GPRS. GMR (release 3) specifications evolve packet mode services to 3rd generation Universal Mobile Telecommunications System (UMTS) compatible services with the introduction of GMR-1 3G. Where applicable, GMR-1 3G is derived from 3GPP with some necessary divergences.
It is not immediately obvious what ciphers are or could be used by Tiantong-1, assuming it is GMR-1 3G based. ETSI's GMR-1 3G standards documents indicate ciphering is performed either in the RLC (Radio Link Control) sub-layer or MAC (Media Access Control) sub-layer and that the cipher architecture is specified in the 3G Security Architecture document ETSI TS (1)33 102. In addition, explicit mentions of AES are also encountered. The 3G Security Architecture document specifies ciphering algorithms for access link data confidentiality and integrity. For confidentiality, it specifies several flavors of the UMTS Encryption Algorithm (UEA). For integrity, it specifies several flavors of the UMTS Integrity Algorithm (UIA). In addition, the documents also refer to LTE specifications TS 35.215. To confuse matters further, some documents also refer to A5/1-7, GEA/1-7, and GIA/1-7.
The complexity is well summarized in this blogpost by Ericsson which presents a great overview of the authentication, key derivation, confidentiality, and integrity ciphers used in terrestrial mobile networks and how there are many different names for essentially the same underlying ciphers with similar parameters depending on the context of their usage. While the image doesn't show it, 256-bit variants of some of the ciphers are possible too.
Based on this, it seems GMR-1 3G allows for using the ciphers UEA0-2 and EEA2 for confidentiality and the ciphers UIA1-2 and EIA2 for integrity. Indeed, documents from the South-Korean manufacturer Asia-Pacific Satellite Inc. (APSI), whose chips are used in several satphones such as the Thuraya XT, indicate its "POLARIS" GMR-1 3G baseband supports GEA, UEA, UIA, and AES-128/256 ciphers. Regardless, the relevant underlying primitives are KASUMI, SNOW 3G, and AES.
This is important because ETSI's mobile networking cryptography standards have a history of weak and backdoored proprietary ciphers. For example, the A5-GMR-1 cipher [1] used in GMR-1 is an LFSR-based stream cipher with a 64-bit key. This cipher is derived from GSM's intentionally weakened A5/2 cipher. The A5-GMR-2 cipher used in GMR-2 is a byte-oriented stream cipher with a 64-bit key combining a key scheduler, a linear mixing function, and a non-linear filter based on DES S-boxes. While not intentionally weakened, A5-GMR-2 also proved critically flawed. Similarly, the GEA-1 cipher used in GPRS [1] was also found to be an intentionally weakened LFSR-based stream cipher with a 64-bit key. GEA-2, which has found further adoption in GMPRS, has a similar structure and despite not being intentionally weakened was also found to be cryptographically weak. Subsequent cryptanalytic efforts have resulted in extremely practical attacks on these ciphers:
Discounting academic and less practical (such as related key) attacks, KASUMI and SNOW-3G have held up fairly well. However, KASUMI as used in A5/3 and GEA-3 utilizes a 64-bit key which recent work has shown can be broken in at most 38 hours using 2400 RTX 4090 GPUs.
Being based on GMR-1 3G, it seems cipher-wise there is a big chance TT's communications are fairly secure. In addition, there is no reason why Tiantong could not deploy other ciphers. One such option could be utilizing the ZUC stream cipher which is an option (EEA/EIA-3) of 3GPP’s LTE specifications. This has the added benefit of being an indigenously developed algorithm which is part of the Chinese National Cryptography Standard. Of course, proper key management remains crucial and sophisticated attackers could target shared secret keys stored in SIM cards or on provider networks (as happened to Gemalto).
One risk that remains are so-called downgrade or fallback attacks. Here an active adversary forces a mobile terminal to fall back to a weaker cipher in order to subsequently break it and intercept communications. While there are plenty of commercial SIGINT solutions doing this for terrestrial cellular networks, the feasibility of such an attack on satphones is less clear.
Of course, it remains possible to layer additional encryption on top of GMR's radio interface security. In fact, these days GMR-1 based Thuraya partners with several companies to provide such solutions (hilariously enough still including the now-defunct and CIA-owned Crypto AG notorious for deliving backdoored cryptography).
While confidentiality of communications is one aspect of concern for parties like the IRGC and Kashmiri militants, an equally pressing concern is covertness. The ability to geo-locate communications, based on anything from metadata to signal triangulation, often serves as a precursor for subsequent lethal action such as drone strikes.
In military terminology communications covertness translates to the desirable properties of Low Probability of Detection (LPD) and Low Probability of Intercept (LPI), meaning a system hides or disguises its transmissions and resists attempts to analyze signal parameters to determine whether it is a Signal of Interest (SOI). Delving into LPD/LPI schemes goes beyond the scope of this blogpost but suffice to say that commercial satphone systems do not meet their criteria. For example, a report by the European Commission’s Joint Research Centre (JRC) presents a low-cost monitoring system (which can be mounted on patrolling boats or UAVs) capable of detecting satphone terminals in the open sea.
This is something that militants are well aware of. According to leaked American diplomatic cables Joseph Kony, the Ugandan leader of the Lord’s Resistance Army, had already abandoned using Thuraya phones by 2009 out of fear of being geo-located and subsequently targeted.
In India, where unapproved satphone usage is banned, Thuraya and Iridium transmissions are regularly picked up by monitoring systems of intelligence agencies, the Indian Coast Guard, or Satish Dhawan Space Centre (SDSC), occasionally landing unsuspecting foreign sailors and oil executives alike in trouble.
Interestingly, a leaked NSA document on co-travel analytics (identifying devices with behaviors similar to a targeted one) describes a joint NSA and NGA (National Geospatial Intelligence Agency) analytic named PACT capable of identify co-traveling Thuraya handsets. It is quite reasonable to assume such analytics can be extended to correlate co-traveling behaviors between types of device, e.g. allowing for identifying satphones with patterns-of-life similar to those of regular cellular devices of targeted users. Under such an analytic, traveling simultaneously with one’s satphone and a known cellular device would allow for easy linkage. Of course in Tiantong’s case, cellular and satphone identities are already linked through shared SIM identities. As such, truly covert usage of Tiantong smartphones would require disabling cellular capabilities at the very least.
In part 2 of this series, we will delive into general satphone SIGINT capabilities, supply chain security, and some security aspects of the latest Huawei Mate Tiantong-enabled smartphones.
For those interested in advancing their RF security skills, Midnight Blue will be delivering its Red Team SIGINT training at Black Hat Europe 2025.
This practically-oriented course, aimed at red team operators and pentesters, will teach attendees the fundamentals of RF, SDR, and SIGINT before quickly moving on to effective guidance on identifying and decoding unknown signals as well as exploiting common pitfalls in RF security.
Where other SDR trainings tend to focus on enterprise and IoT RF protocols such as 4G/5G, WiFi, RFID, and BT, this training focuses on important but rarely addressed RF technologies such as automotive, aviation, marine, and physical access control RF protocols and mission-critical radio (e.g. TETRA, DMR, P25) used by police, military, private security, and critical infrastructure.
Hands-on exercises such as intercepting and decrypting handheld radio comms and breaking automotive security systems are alternated with thorough overviews of relevant RF protocols and their security posture as well as case studies of real-world RF attacks on railways, water utilities, drones, and police/military radios.
An overview of the course can be found here.
All items
