Brian Jackson - Fotolia
Tetra radio users’ comms may have been exposed for years
A number of flaws in the encryption algorithms used in the secure Tetra radio communications standard have potentially left users exposed to snooping
The supposedly secure terrestrial trunked radio (Tetra) technology used by the emergency services – which have been a sticking point in the long-running and deeply troubled transition to the new Emergency Services Network (ESN) – contains a number of serious flaws in its encryption algorithms which could, and possibly have, enabled malicious actors and state espionage operations to snoop on critical communications for years, according to researchers.
Due to the sensitive nature of the bodies that tend to use the technology, technical details of the Tetra standard, which was developed at the European Telecommunications Standards Institute (ETSI) and the Critical Communications Association (TCCA) in the 1990s, has always been a closely guarded secret.
However, in 2021, Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Netherlands-based security consultancy Midnight Blue acquired a Motorola radio product which they tore down in order to examine its encryption algorithms, TEA1, TEA2, TEA3 and TEA4.
The team has waited until now to reveal the existence of the five vulnerabilities they found as part of a coordinated disclosure agreement. They have still not made full technical details of the flaws available – although they plan to do so over the next few months, beginning at Black Hat USA in August.
The vulnerabilities have been assigned CVE designations 2022-24400 through -24404 and collectively they are referred to as Tetra:Burst. Out of these, the most immediately impactful is CVE-2022-24402, which is listed as being of critical severity.
This vulnerability exists in the TEA1 encryption algorithm, and is supposedly a backdoor that reduces the algorithm’s 80 bit encryption key to just 32 bits, rendering it a trivial matter for an unauthorised actor to brute force it and decrypt the radio messages. Meijer, Bokslag and Wetzels said they were able to do this in less than a minute using an ordinary store-bought laptop.
“[This] constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic,” the team wrote in their disclosure notice.
“By exploiting this issue, attackers can not only intercept radio communications of private security services at harbours, airports, and railways, but can also inject data traffic used for monitoring and control of industrial equipment.
“As an example, electrical substations can wrap telecontrol protocols in encrypted Tetra to have SCADA systems communicate with remote terminal units [RTUs] over a wide-area network [WAN]. Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.”
They said this vulnerability was “obviously the result of intentional weakening” since the process involved could serve no other purpose that to reduce the key’s effective entropy.
However, a spokesperson for ETSI disputed that this constituted a backdoor. They said: “The Tetra security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption. These regulations apply to all available encryption technologies. As the designer of the Tetra security algorithms, ETSI does not consider that this constitutes a ‘backdoor’.”
The other critical vulnerability is CVE-2022-24401. This flaw affects all four algorithms and is a result of the manner in which a Tetra radio and its base station initiate encrypted communications based on synchronising their timestamps.
Because the time sync data is not authenticated or encrypted, the Midnight Blue team claimed, an attacker can insert themselves into the process and recover the encrypted communications by tricking the radio into thinking it is talking to the base station. The team said they also found a way to insert false messages into the communications flow by manipulating the timestamp data.
CVE-2022-24404, meanwhile, has a similar impact to CVE-2022-24401 in that it could enable fake messages to be inserted into the communications process, but is not rated as a critical vulnerability. CVE-2022-24403 is a deanonymisation issue that according to the Midnight Blue team, could enable Tetra users and their movements to be monitored so that, for example, an adversary would know they were being watched and could get early warning of an impending police raid and escape. Both these vulnerabilities are listed as being of high severity.
The final vulnerability, which is considered to be of low severity, is CVE-2022-24440. This enables attackers to set the Derived Cypher Key (DCK) to zero. It doesn’t allow a full man-in-the-middle attack in the same way as the other bugs do, but it can allow an attacker to intercept uplinks and access post-authentication protocol functions.
There are a number of mitigations that organisations using Tetra can apply immediately. A patch is already available for CVE-2022-24404 and CVE-2022-24401, while users can avoid exposure to CVE-2022-24402 and CVE-2022-24403 by properly implementing end-to-end encryption, or migrating to newer encryption algorithms.
ETSI’s spokesperson said: “With more than 120 countries using dedicated Tetra networks for mission- and business-critical communications, we continually evaluate our standards and procedures – with input from members of industry – to ensure the Tetra standard remains robust in the face of evolving threats.
“ETSI has an ongoing programme of maintenance to ensure standards remain fit for purpose in an evolving security landscape. Work on enhancing the Tetra standard was in progress before the researchers discussed their findings with ETSI. Revised standards were released in October 2022. As with all technology standards, work continues to support the standards implementation in the market.”
The spokesperson went on to say that ETSI welcomed any research efforts that would help strengthen the standard, and noted that the researchers had in general “affirmed the overall strength” of the Tetra standard.
“ETSI and TCCA are not at this time aware of any exploitations on operational networks,” they added. “Together with the Tetra industry community, we continue to invest in and develop the ETSI Tetra standard so that it remains safe and resilient for the public safety, critical infrastructure and enterprise organisations that rely on it every day.”
Were bugs known to spies?
According to Wired, which has extensively profiled the work of the Midnight Blue team, the vulnerabilities, in particularly the one affecting the TEA1 algorithm, may have been something of an open secret in some quarters for years.
In 2006, for example, according to the famous Wikileaks dump of US diplomatic communications, the US embassy in Italy had tried to object to an Italian company’s proposed sale of Tetra technology to Iranian organisations. The Italians had allegedly said the US had no need to object given the encryption algorithm had less than 40 bits. This would seem to align with ETSI’s assertion that the algorithm was designed to comply with European export controls.
There is also supposedly evidence in the Edward Snowden leaks that the US National Security Agency (NSA) and the UK’s GCHQ – which oversees the National Cyber Security Centre (NCSC) – exploited Tetra for eavesdropping on Argentinian military and government communications concerning fossil fuel exploration rights in the waters surrounding the Falklands/Malvinas. However, whether or not this alleged incident involved the use of the now-disclosed vulnerabilities cannot be ascertained.
Read more about backdoors
- Researchers say they have found specific code similarities between the Solorigate/Sunburst malware and the Kazuar backdoor, suggesting some relationship.
- Microsoft researchers believe Nobelium, the Russian-backed group that breached SolarWinds, has been using a backdoor tool called FoggyWeb since at least April 2021.