A recent discovery by researchers from Midnight Blue Labs has revealed critical vulnerabilities in the Terrestrial Trunked Radio (TETRA) protocol, which is widely used by emergency services and some industrial sectors. These vulnerabilities could potentially allow adversaries to spy on or manipulate radio transmissions.
TETRA is a radio voice and data standard that provides key management, voice encryption, and data encryption for secure communications. However, the researchers found five vulnerabilities in TETRA, with two of them classified as critical. These vulnerabilities are collectively known as “TETRA:BURST.” The researchers plan to present their findings at the upcoming Black Hat USA conference.
The vulnerabilities found in TETRA could enable real-time or delayed decryption, message injection, user deanonymization, or session key pinning attacks. This means that high-end adversaries could potentially listen in on police and military communications, track their movements, or manipulate critical infrastructure network communications carried over TETRA.
In a demonstration of one vulnerability, the researchers showed that an attacker could capture an encrypted message by targeting the radio to which the message was being sent. The attacker would obtain the key stream, which can be used to decrypt arbitrary frames or messages transmitted over the network.
Another vulnerability discovered by the researchers involves a backdoor in the TETRA Encryption Algorithm (TEA1). This backdoor affects networks that rely on TEA1 for confidentiality and integrity. Attackers can perform a brute-force attack on the 80-bit key used by TEA1, allowing them to listen in on communications undetected.
According to Midnight Blue founding partner Wouter Bokslag, this weakening of the cipher enables attackers to search through the 32 bits of key material and decrypt all traffic using inexpensive hardware, such as a $10 USB dongle and a standard laptop. In many cases, the key is never changed, giving the attacker permanent access to communications.
The researchers’ goal in disclosing these vulnerabilities was to open up TETRA for public review, perform a risk analysis, and resolve the identified issues to ensure a level playing field. They also aimed to gain a better understanding of TETRA security and promote the use of open cryptography.
TETRA, first published in 1995 by the European Telecommunications Standards Institute (ETSI), is one of the most widely used professional mobile radio standards, particularly in law enforcement. However, its security relies on secret, proprietary cryptographic algorithms that are only shared under strict nondisclosure agreements with a limited number of parties.
The researchers discovered a mention of TETRA in the 2013 Edward Snowden leaks, particularly in relation to the interception of TETRA communications. This further highlights the importance of addressing the vulnerabilities in the protocol.
While some of the vulnerabilities can be resolved through firmware updates, others, such as CVE-2022-24402, are inherent to the TETRA standard and cannot be fixed in this manner. Bokslag suggests that end-to-end encryption could be a solution for TEA1, but it would be costly and labor-intensive to implement.
These vulnerabilities in TETRA impact users in over 100 countries and various sectors of industry, including law enforcement, military, and intelligence services. The researchers have been collaborating with manufacturers and network operators to help address these issues as much as possible.
Bokslag emphasizes that this is the first public in-depth security analysis of TETRA in its almost 30-year existence. It underscores the need for transparency and collaboration in addressing vulnerabilities and improving the security of critical communication systems.
Manufacturers have developed patches for the vulnerabilities in response to the research, and Midnight Blue recommends migrating from TEA1 to another TETRA Encryption Algorithm cipher. The market is currently working on developing these alternative solutions to enhance the security of TETRA communications.