TETRA Radio For Critical Comms Is Vulnerable, Researchers Show

Security consultancy Midnight Blue has found five vulnerabilities in TETRA, a radio standard used world-wide for critical communications such as emergency response, industrial equipment, military comms, transport and critical infrastructure. The collection of vulnerabilities named TETRA:BURST allow for realtime decryption, message injection, and user deanonymization. During a 1.5 year-long responsible disclosure process mitigation measures have been shared with relevant stakeholders. They will be made public on August 9, 2023 when the embargo is lifted. The research was funded through the NGI0 PET programme

No security by obscurity

TETRA or Terrestrial Trunked Radio was standerdised in 1995 by the European Telecommunications Standards Institute. Despite its critical function, wide-spread deployment (over 100 countries) and its age, it has never been subjected to public security research until Midnight Blue stepped up. TETRA security relies on a set of secret, proprietary cryptographic algorithms. This is not a good practice, according to the three Midnight Blue researchers Jos Wetzels, Carlo Meijer and Wouter Bokslag. Rather than relying on secrecy it's better to have open systems which can be prodded and tested by security experts.

Old garbage

Bart Jacobs, Professor of Security, Privacy and Identity at Radboud University Nijmegen, also advocates for open systems. In an interview with journalist Daniël Verlaan for the Dutch news program RTL Nieuws, he said: "TETRA is, to say it plainly, old garbage that has been used for much too long. That is unacceptable behavior. Not only of vendors who sell these types of systems but also of those who deploy it like the government and big companies. They should have been more critical and just buy open systems instead of these kinds of secret systems.

Backdoor

The researchers were able to reverse-engineer the algorithms. Of the TETRA:BURST vulnerabilities they found, two are critical, one of which is a backdoor purposefully built in. The backdoor reduces the original 80-bit key which is strong to a 32-bit key. The researchers demonstrate the use of the backdoor in a video. It takes them about a minute to crack the key using an ordinary laptop. Once cracked, they can not only intercept all radio traffic but also communicate. Since TETRA is also used for machine-to-machine communication in industrial settings, this can be exploited to send harmful commands to machines. The backdoor is found in one specific algorithm that was intended for commercial use and restricted export scenarios.

Disclosure process

Midnight Blue first reported TETRA:BURST to the Dutch National Cyber Security Centre (NCSC) in December 2021. The coordinated vulnerability disclosure process took 1.5 years, much longer than the six months the NCSC's guidelines stipulate. This was the result of the critical functions of the TETRA system, the complexity of addressing the vulnerabilities, and the difficulty tracking down TETA's many vendors and users. The mitigation measures consist of patches in some cases and extra security measures in others. The have been shared with the relevant stakeholders by way of the NCSC. They are described on the Midnight Blue webpage and further technical details will be released when the embargo is lifted on August 9, 2023. The researchers will present their work on conferences such as Blackhat USA, DEF CON and Chaos Communication Camp. The full list of tour dates and much more information on TETRA:BURST is on the Midnight Blue webpage linked above.

Funding

Midnight Blue's research was funded under the project name RE:TETRA through the NGI0 PET. The PET or Privacy & Trust Enhancing Technologies fund is established by NLnet.nl with financial support from the European Commission's Next Generation Internet programme.

Do you also have an open source project that needs funding? You can apply for one of the theme funds of NLnet.

Image: TETRA Transceiver station by Wilbert van de Kolk via Wikipedia. Public domain.