TETRA radio comms used by emergency heroes easily cracked, say experts
If it looks like a backdoor, walks like a backdoor, maybe it's ... export control
Updated Midnight Blue, a security firm based in the Netherlands, has found five vulnerabilities that affect Terrestrial Trunked Radio (TETRA), used in Europe, the United Kingdom, and many other countries by government agencies, law enforcement, and emergency services organizations.
The flaws, dubbed TETRA:BURST, are said to affect all TETRA radio networks. They potentially allow an attacker to decrypt communications in real-time or after the fact, to inject messages, to deanonymize users, or to set the session key to zero for uplink interception.
Two of the flaws are characterized as critical. The first (CVE-2022-24401) is an oracle decryption attack that can be used to reveal text, voice, or data communication. It is made possible by the Air Interface Encryption (AIE) keystream generator's reliance on network time, which is broadcast publicly and without encryption.
The second (CVE-2022-24402) is an engineering weakness – the TEA1 [PDF] encryption algorithm, according to the researchers, "has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes."
The Midnight Blue team contends the backdoor, as they put it, follows from deliberate algorithm design decisions. Presumably this was done to allow the export of the encryption technology: sometimes, under various rules and regulations, security has to be weakened to allow it to ship.
"The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakening," the researchers state in their disclosure. "While the cipher itself does not seem to be a terribly weak design, there is a computational step which serves no other purpose than to reduce the key's effective entropy."
The security pros explain that the use of secret, proprietary cryptography has been a common theme in previously identified flaws affecting GSM (A5/1, A5/2), GMR (GMR-1), GPRS (GEA-1), DMR ('Basic' and 'Enhanced' encryption), and P25 (ADP) – used in North America. These issues follow largely from export control practices that insist on weak encryption, they suggest.
"Despite being widely used and relying on secret cryptography, TETRA had never been subjected to in-depth public security research in its 20+ year history as a result of this secrecy," Midnight Blue explained in its disclosure.
"In order to shed light on this important piece of technology, Midnight Blue was granted funding by the non-profit NLnet foundation as part of its European Commission supported NGI0 PET fund. Midnight Blue managed to reverse-engineer and publicly analyze the TAA1 and TEA algorithms for the first time, and as a result discovered the TETRA:BURST vulnerabilities."
- £2B in UK taxpayer cash later, and still no Emergency Services Network
- UK police to spend tens of millions on legacy comms network kit
- The Reg visits London Met Police's digital and electronics forensics labs
- SpaceX's Falcon Heavy rocket launches after three-year hiatus with secret US sats
The European Telecommunications Standards Institute (ETSI), which oversees the TETRA specification, did not immediately respond to a request for comment.
The three less-than-critical vulnerabilities consist of: CVE-2022-24404, a high-severity vulnerability arising from lack of ciphertext authentication on the AIE that enables a malleability attack; CVE-2022-24403, a high-severity vulnerability that allows radio identities to be identified and tracked due to weak cryptographic design; and CVE-2022-24400, a low-severity vulnerability that allows confidentially to be partial compromised through a flawed authentication algorithms that permits the setting of the Derived Cypher Key (DCK) to 0.
Technical details of the flaws are due to be released on August 9, 2023, at the Black Hat security conference in Las Vegas, and at Usenix Security and DEF CON. Midnight Blue said it waited one and half years to disclose details rather than the usual six months for hardware and embedded systems due to the sensitivity of the matter and the complexity of remediation.
The primary concern, they say, for law enforcement and military users of TETRA networks is the possibility that messages will be intercepted or manipulated. That's also a potential problem for critical infrastructure operators, who could see the communication services of private security firms manipulated or even the injection of data traffic that would affect the monitoring and control of industrial equipment, like railway switches or electrical substation circuit breakers.
Patches are available for some of the vulnerabilities. ®
Updated to add
In a statement, ETSI said it adheres to export control regulations, and that any weaknesses in the security of TETRA would be due to that rather than a deliberate backdooring of the technology.
“The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption,” the organization said.
“These regulations apply to all available encryption technologies. As the designer of the TETRA security algorithms, ETSI does not consider that this constitutes a ’backdoor.’”
ETSI said it welcomed research efforts to strengthen standards, that software patches were issued last October to fix any issues, and that it’s not aware of any active exploitation of operational networks.