Introduction
The Terrestrial Trunked Radio (TETRA), a communication system extensively utilized by government agencies, law enforcement, and emergency services organizations across Europe, the United Kingdom, and numerous other countries, has been found to harbor five significant vulnerabilities. These vulnerabilities, collectively referred to as TETRA:BURST, were unearthed by Midnight Blue, a Netherlands-based security firm.
The Vulnerabilities
The TETRA:BURST vulnerabilities potentially enable an attacker to decrypt communications in real-time or retrospectively, inject messages, deanonymize users, or set the session key to zero for uplink interception. Two of these vulnerabilities are characterized as critical.
The first critical vulnerability (CVE-2022-24401) is an oracle decryption attack that can expose text, voice, or data communication. This vulnerability stems from the Air Interface Encryption (AIE) keystream generator’s dependence on network time, which is broadcast publicly and without encryption.
The second critical vulnerability (CVE-2022-24402) is an engineering weakness in the TEA1 encryption algorithm. According to the researchers, this algorithm has a backdoor that reduces the original 80-bit key to a key size that can be brute-forced on consumer hardware in minutes. The Midnight Blue team suggests that this backdoor is the result of deliberate algorithm design decisions.
Potential Breaches and Risks
The vulnerabilities in TETRA could have severe implications for the confidentiality, integrity, and availability of communication systems used by emergency services, law enforcement, and government agencies. The ability to decrypt communications in real-time or after the fact could potentially expose sensitive information, including operational details, strategic plans, and personal information of individuals involved in the communication.
The ability to inject messages could be used to spread misinformation, disrupt operations, or even manipulate actions based on false information. This could lead to operational failures, misallocation of resources, or even potential harm to individuals if emergency services are misdirected or manipulated.
The ability to deanonymize users could potentially expose the identities of undercover agents or confidential informants, putting their lives at risk. It could also be used to track the movements and activities of specific individuals or units, providing valuable intelligence to adversaries.
The ability to set the session key to zero for uplink interception could potentially allow unauthorized access to the communication system, enabling further attacks or disruptions.
Users of TETRA System
The TETRA system is primarily used by public safety agencies, law enforcement, and emergency services organizations. It is also used by critical infrastructure operators, including those in the transportation sector, such as airports and public transportation systems. In addition, the system is used by private security firms and industrial operators for secure, reliable communication. The system is deployed in approximately 130 countries, making it the world’s most used digital PMR standard.
Likely Next Steps
The discovery of these vulnerabilities will likely lead to a comprehensive review of the security measures in place for TETRA and similar communication systems. This could include a re-evaluation of the use of proprietary encryption algorithms, given the identified weaknesses and the potential for backdoors.
The organizations affected by these vulnerabilities will need to apply the available patches as soon as possible to mitigate the risks. However, given the complexity of these systems and the potential impact of any disruptions, this will likely be a complex and potentially lengthy process.
In the longer term, this discovery could lead to a shift towards more transparent and robust security practices in the design and implementation of communication systems. This could include the use of open-source encryption algorithms, which can be independently reviewed and tested for vulnerabilities.
Conclusion
The discovery of the TETRA:BURST vulnerabilities underscores the critical importance of robust, transparent security practices in the design and implementation of communication systems, particularly those used by critical services such as law enforcement and emergency services. The potential breaches and risks associated with these vulnerabilities highlight the need for ongoing vigilance and proactive action to ensure the security and integrity of these vital communication systems.
Further Reading
- Terrestrial Trunked Radio – Wikipedia: For a comprehensive overview of the TETRA system, its history, and its technical specifications.
- TETRA | TErrestrial Trunked Radio – ETSI: For a detailed explanation of the TETRA system from the European Telecommunications Standards Institute (ETSI), which oversees the TETRA specification.
- Five things you need to know about TETRA – Key Touch magazine: For a quick and easy-to-understand guide to the TETRA system and its uses.
- TETRA Customer Stories – Motorola Solutions EMEA: For real-world examples of how the TETRA system is used in various sectors.
- Applying TETRA at your airport – International Airport Review: For a case study on how the TETRA system is used in airport operations.
- TETRA rolls out around the world – The Critical Communications Association – TCCA: For an overview of the global adoption of the TETRA system.
- TETRA radio user: 5 reasons you should be interested in MCPTT: For a discussion on the future of TETRA and potential alternatives.
- TETRA Radios, Applications and Systems – Sepura: For a look at some of the hardware and applications used in TETRA systems.
- TETRA – delivering essential benefits and double digit growth – Intelligent Transport: For an analysis of the growth and benefits of the TETRA system in the transportation sector.