A group of researchers has uncovered multiple zero-day vulnerabilities in the TETRA communications protocol, which is used to power industrial control systems globally. The vulnerabilities were found in a Motorola base station and system chip, both of which are essential for running and decrypting the TETRA communications algorithm. These vulnerabilities could potentially expose sensitive information.
TETRA, or Terrestrial Trunked Radio, is a global standard for encrypted two-way communications that was developed by public safety experts under the European Telecommunications Standards Institute (ETSI). It is widely used in industries such as utility companies, rail and metro lines, power stations, oil refineries, and chemical plants, as well as in public safety organizations.
The research, conducted by Midnight Blue, revealed that the base station has a trusted execution environment (TEE) that is intended to protect the cryptographic primitives and keys from exfiltration. However, the researchers were able to perform a side-channel attack on the TEE, allowing them to decrypt the module and obtain an AES key that could be used to further decrypt communications.
Wouter Bokslag, a founding partner at Midnight Blue, explained that their team did not break the TETRA algorithm itself, but rather extracted the decryption key, demonstrating how keys can be extracted. This discovery led to the identification of four zero-day vulnerabilities, two of which are considered critical or of high severity, specific to a Motorola MTM5400.
One of the vulnerabilities, CVE-2022-26941, is a format string vulnerability in the AT+CTGL command handler that allows arbitrary code execution with root privileges. Another vulnerability, CVE-2022-26943, is a weak random number generator (RNG) that enables attackers to exploit the DCK pinning vulnerability against these radios. The other two vulnerabilities, CVE-2022-26942 and CVE-2022-27813, allow attackers to achieve arbitrary code execution and arbitrary lateral movement, respectively.
Bokslag emphasized that these vulnerabilities could also be exploited by attackers with physical access to a Motorola radio. After extracting sensitive key material, attackers could listen in to the TETRA network undetected until the next key change. This type of attack is less involved than previous attacks on the TETRA protocol, but it does require brief physical access.
The researchers also discovered three critical zero-day vulnerabilities in the OMAP-L138 system-on-chip used in the Motorola radio. These vulnerabilities include a timing side-channel attack, a stack overflow, and a flawed RSA authenticity check. Bokslag noted that these vulnerabilities are unpatchable since the affected routines are implemented in mask ROM.
To further demonstrate the security flaws, Midnight Blue instrumented a TETRA base station to create an attack platform. This enabled them to discover five additional zero-day vulnerabilities in the Motorola MBTS TETRA base station, three of which are rated as high severity. These vulnerabilities include hardcoded backdoor passwords, failure to check firmware authenticity, and a debug prompt that can be unlocked through triggering unhandled exceptions.
Bokslag highlighted that the issues found in the Motorola MBTS, as well as investigations of TETRA equipment from other vendors, reveal an ecosystem of equipment that significantly lags behind standard security practices. He stressed that this is not solely a Motorola problem but an industrywide issue. Despite the critical nature of the communications handled by this infrastructure, security does not appear to be a top priority in its design and engineering.
The researchers will be sharing full details of their findings at the Black Hat USA conference. Their research serves as a wakeup call to the industry, emphasizing the need for robust security measures to protect industrial control systems and critical communications infrastructure.