Bug hunters on your marks: TETRA radio encryption algorithms to enter public domain
Emergency comms standard had five nasty flaws but will be opened to academic research
A set of encryption algorithms used to secure emergency radio communications will enter the public domain after an about-face by the European Telecommunications Standards Institute (ETSI).
The algorithms are used by TETRA – short for the Terrestrial Trunked Radio protocol – and they are operated by governments, law enforcement, military and emergency services organizations in Europe, the UK, and other countries.
In mid-2023, Netherlands-based security firm Midnight Blue disclosed five vulnerabilities affecting all TETRA radio networks that could allow criminals to decrypt and intercept communications in real time.
The bugs — and the secrecy of the algos themselves — sparked outrage in the security community, which pointed out that proprietary encryption algorithms mean third-party researchers couldn’t test code, making it harder to detect bugs and defend networks.
The technical committee in charge of the TETRA standard met in October to discuss making the secret algorithms public. They then voted unanimously to open source all TETRA Air Interface cryptographic algorithms.
"The meeting was very well attended and had a wide spread of the TETRA community including operators, users, manufacturers and governments," ETSI committee chairman Brian Murgatroyd is quoted as saying in a statement. "Following publication of the algorithms, we are open to academic research for independent reviews."
The standards org hasn’t set a date for making the algorithms accessible, ETSI spokesperson Claire Boyer told The Register.
- Europe mulls open sourcing TETRA emergency services' encryption algorithms
- TETRA radio comms used by emergency heroes easily cracked, say experts
- Inside Denmark's hell week as critical infrastructure orgs faced cyberattacks
- Royal Mail cybersecurity still a bit of a mess, infosec bods claim
TETRA includes an original set of Air Interface cryptographic algorithms: TEA 1, 2, 3, and 4. Some of these were disclosed by the Midnight Blue research team, which found the five vulnerabilities and released technical details of the flaws at the annual Black Hat and DEF CON security conferences in August 2023.
The researchers said they waited a year and a half to disclose details — instead of the standard six-month wait — due to the sensitive nature of the networks and the complexity of fixes for the flaws, which were named TETRA:BURST.
In 2022 ETSI added three new and supposedly quantum-proof algorithms to the TETRA family, dubbed TEA 5, 6, and 7. The algos are intended to address the threat that, in the worryingly near future, quantum computers will be able to break existing encryption schemes, thus rendering data and comms protected by legacy encryption insecure.
According to ETSI, this entire set of new and old algorithms will enter the public domain, along with TAA1 (the original authentication and key management specification) and TAA2 (the new authentication and key management specification). ®