Russia’s military-secure ERA cryptophone system has failed in the Ukraine war, raising crucial questions about why Moscow committed to a system that was so badly flawed from the start.
Cell phones have played an outsized role in the Ukraine war. In particular, they have been used to geolocate sensitive military sites, giving the Ukrainians the ability to target Russian ships, ammunition depots, troop clusters and weapon locations.
A phone-derived “heat map” of “Russian phones” has recently revealed mass troop locations and movements. Ukraine has tapped Russian phone calls from the battlefield revealing information on the location of Russian officers, including generals. In one case, a Russian general’s conversation on a cell phone resulted in his killing, according to reports.
Ukraine claims it has set up a special unit to track Russian military leaders and, wherever possible, to liquidate them. More than 40 senior Russian officers have been killed so far in the war, including at least 12 generals.
The US reportedly is helping Ukraine target Russian officers, meaning that the powerful NSA, CIA and military intelligence organizations are supplying the Ukrainians with near real-time intelligence.
Theoretically, Russian troops are not supposed to be using unsecured cellular phones. Yet that rule seems to be flouted, and it is undermined by Russia’s encrypted ERA phone system.
ERA is actually an adapted ruggedized cellular phone based on the Russian-made MIG C55V smartphone, which was developed for Russia’s intelligence agencies. Technically, the C55V has an 8-core Qualcomm processor, a 5.5-inch display with a resolution of 1280 x 720 pixels and a shock-resistant covering.
Its operating system runs on Android’s 7.1 version, which is widely known for its massive security shortcomings. Unlike regular cellular phones that have both analog and digital channels, it appears the MIG C55V uses the data channel for voice communications – like commercial apps such as WhatsApp and Signal, both of which claim to be secure.
However, the C55V itself is not encrypted. (Whether the normal voice channel is usable or disabled isn’t clear.)
However, the Russian military version of the ERA phone is encrypted but is also capable of non-encrypted communications. It is assumed that the normal voice channel isn’t operational, which means that the control center can see all calls incoming and outgoing.
Encryption that is implemented on cellular phones can be done purely with software, firmware or encryption chips mounted in the phone. Moreover, encryption can be based on either symmetrical or public key algorithms.
The ERA phone, therefore, is capable of both non-encrypted digital voice communications and encrypted voice calls over the same digital channel. It is unlikely the ERA system would be permitted to encrypt on the fly in direct calls as this would undermine Federal Security Bureau (FSB) control of military and political operations.
An ERA phone probably “talks” to a Russian control center, which then passes the call to the intended recipient. This means that an encrypted call would be decrypted in the control center and then connected to the receiving party, either in encrypted or non-secure format.
For example, in a secure landline, the call would be forwarded by the control center to the secure landline possibly using a different encryption, although when the process is reversed the control center would change the encryption back to the secure cell phone.
The ERA system is highly risky because it tries to combine non-encrypted and encrypted communications and requires a control center (probably in Moscow) to handle all ERA traffic. (Encrypted apps like Signal and WhatsApp also use a control center connected via the Internet.)
If the call is in any way disrupted, even by the slightest amount, it will fail as the synchronization would stop. This would hand an adversary, such as the Ukrainians, a significant advantage.
Selective data jamming hitting only encrypted calls would force the Russian military user to go to an unencrypted channel. When operating on Ukrainian territory, the Russians would then need to use Ukraine’s cellular network, which is fully under the command of Ukrainian intelligence.
There have been numerous press reports that supposedly secure Russian cellular phones failed because they depend on 3G and 4G data channels. In Kharkiv, for example, the Russians reportedly destroyed many of the 3G and 4G cell towers and so could not use their phones.
This may be intentional disinformation. To begin with, there is a great amount of cellular data traffic in the war zone, undermining the case that the Russians blew up cellular towers on purpose. Moreover, it is widely reported that many Russian soldiers are stealing Ukrainian cell phones and using them to call home. This suggests the cell towers are operating.
Furthermore, Ukrainians are using cellular features such as the Apple “Find My iPhone” app, which can help to locate stolen phones but only works if the phones have access to cell towers.
It is also reported that the Russians are using StingRay systems, a US phone tracking system and International Mobile Subscriber Identity (IMSI) catcher made by the US L3-Harris Corporation. The Russian StingRays are unlikely to be from the US, though they could be a Russian clone or even more likely a Chinese copy.
Using StingRay-type devices suggests that the cell phone systems and their towers are operating. StingRay pretends to be a cell tower and mobile phones close to a StingRay will automatically select and use the StingRay to relay calls instead of a commercial cell tower, which may be farther off. Cell phones automatically pick up the nearest strong signal.
Along with StingRays, the Russians are also using a specialized type of drone that intercepts cellular phone calls. The system is known as Leer-3 and it does essentially what a StingRay does, except it is airborne and can move over enemy formations or government command centers and offices. The Leer-3 system is installed on three Orlan-10 drones (providing triangulation), which are controlled by a control post in a KamAZ-5350 truck.
The system can either intercept or jam wireless systems in a range of about three miles from the drone’s location. The Leer-3 can collect telephone numbers and call these numbers while blocking other people’s signals. The Leer-3 was originally fielded in 2015 and has since probably been upgraded as 4G became more widely available in Russia and nearby countries.
The Russians also have highly effective jamming systems such as the Krasukha-4 (Belladonna), which can jam GPS (and was used near the tail end of the Nagorno-Karabakh war to try and stop Turkish Bayraktar drones) and probably cellular phones. It is a large system and has been used in Syria to target US surveillance drones. Parts of a Krasukha-4 system were recently found near Kiev.
Ukraine has come up with directives for its soldiers on cell phone use. Troops are directed:
1. Leave your own SIM card at home.
2. The best place to obtain a SIM card is in the zone of conflict itself.
3. If you plan to make a phone call, do it at least 400-500 meters from squad positions.
4. Don’t walk away alone, take an armed friend with you for cover.
5. The best place to make a phone call is in locations with a lot of civilians, preferably in recently liberated towns.
6. Always keep your phone off. Your life depends on it. Grad missiles will hit your whole squad.
7. Do not accept refill codes or cards from the locals. The young woman that brings you a refill card from the neighbouring village may be working for the enemy. Right now FSB and SBU [Ukrainian security services] have to process enormous amounts of data to identify the mobile phones of our own people and of the enemy. Do not make their job easier.
8. Watch over your comrades – a friend calls his girlfriend and an hour or so later your position gets shelled or attacked.
9. Remember, the enemy could be listening to your conversations regardless of which SIM card or which telecom operator you are using.
If Russia made a major mistake, it was probably in using the ERA system in battlefield deployment. It is inadvisable to combine secure and non-secure communications on one platform.
Likewise, it is inadvisable to use cellular phones for any communications in a war because they all have SIM cards and can be located even when they are physically turned off – most phones keep broadcasting a low-level signal even when they are off to satisfy national requirements for geo-location.
It is also the case that using enemy cell phone networks is a non-starter, something one would have expected Russia to understand. Similarly, it is inadvisable to send encrypted messages to a remote command post, as ERA appears to do, as it makes it trivial to intercept them or block all calls.
What is surprising and almost inexplicable is that Russians trusted their military communications to a cellular system (even with encryption) and to insecure cellular phones and foreign-owned networks.
Perhaps the Russians saw using inexpensive commercial components living off a foreign cellular phone network as a cheap solution. They were dead wrong.
Follow Stephen Bryen on Twitter at @stevebryen