The European Telecommunications Standards Institute (ETSI) is responding to claims of significant vulnerabilities in its Terrestrial Trunked Radio (TETRA) standard by asserting that work was already underway to enhance the standard before researchers disclosed the vulnerabilities. In a statement, ETSI emphasized that it has an ongoing maintenance program to ensure that its standards remain robust and secure in an ever-evolving security landscape.
ETSI released revised standards for TETRA in October 2022, recognizing the need to adapt to technological innovations and potential cybersecurity attacks, including those from quantum computers. The organization’s technical committee, TCCE, completed work on new algorithms to secure TETRA networks. Two new specifications, ETSI TS 100 392-7 and ETSI TS 100 396-6, were developed by TCCE in collaboration with experts from ETSI’s quantum safe cryptography group.
However, researchers from Midnight Blue recently disclosed a series of backdoor vulnerabilities in TETRA. These vulnerabilities allow for the interception and monitoring of communications by reducing 80-bit keys to a more breakable 32 bits. The researchers plan to discuss their findings in greater detail at the upcoming Black Hat USA conference.
Wouter Bokslag, founding partner of Midnight Blue, believes that the term “backdoor” is justified in relation to the vulnerabilities identified in TETRA. He argues that intentional weakening without public disclosure meets the definition of a backdoor. ETSI, on the other hand, disputes this claim and argues that the vulnerabilities do not constitute a backdoor. According to ETSI, the weakness in the TEA1 algorithm, which is affected by the vulnerabilities, is not covertly weakened as it has been subject to export control regulations. Nonetheless, Bokslag rejects this position, asserting that TEA1, like its counterparts, uses 80-bit keys and has not been advertised as providing weaker security guarantees.
Bokslag further adds that ETSI may not be aware of any exploitations in the wild unless customers report anomalies in their network traffic. He states that the fact that ETSI does not know of any specific cases of exploit does not negate the possibility of passive interception and decryption of TEA1. ETSI, however, commends the researchers for their assessment of the overall strength of the TETRA standard and notes that no weaknesses were found in the TEA2 and TEA3 algorithms after extensive analysis.
While ETSI acknowledges that there are areas for improvement in the TETRA protocol and weaknesses in the TEA1 algorithm, it asserts that the revised standards released in October 2022 mitigate the potential discovery of the identities of mobile radio terminals using TEA versions 5, 6, and 7.
ETSI and the TCCA (TCCA) stated that they are currently unaware of any exploitations on operational networks, and they continue to invest in and develop the TETRA standard to ensure its safety and resilience for public safety, critical infrastructure, and enterprise organizations that depend on it.
In conclusion, ETSI is addressing the claims of vulnerabilities in its TETRA standard by emphasizing its ongoing work to enhance the standard and its commitment to the security of its standards in an evolving landscape. While researchers have disclosed backdoor vulnerabilities, ETSI disputes the characterization of these vulnerabilities as backdoors and highlights the measures taken to mitigate potential risks. ETSI and TCCA assure the public that they are unaware of any exploitations on operational networks and remain dedicated to the safety and reliability of the TETRA standard for the organizations that rely on it.