Vulnerabilities found in the main communication standard TETRA, giving control over all emergency services
Dangerous vulnerabilities in TETRA have been kept secret for more than 25 years.
A group of researchers from the Dutch information security company Midnight Blue discovered dangerous vulnerabilities in the international wireless standard TETRA, which is used by police, military and critical infrastructure operators around the world. The flaws can allow attackers to intercept, spoof, or disrupt secret communications.
The TETRA (Terrestrial Trunked Radio) communication standard is used in 170 countries. It was developed by the European Telecommunications Standards Institute (ETSI) and is supported by various radio manufacturers including Motorola Solutions, Airbus, Hytera, and others. TETRA is used for wireless communication between devices in emergency response systems, public safety, military and critical infrastructure.
The standard has been used in radio communications since the 90s, but the vulnerabilities remained unknown because the encryption algorithms used in TETRA were still kept secret.
Midnight Blue researchers have discovered several vulnerabilities in the standard, including a backdoor in one of the encryption algorithms that allows a low-level host to intercept encrypted messages. Other vulnerabilities relate to incorrect handling of timestamps and creation of keystreams, which could allow an attacker to spoof messages.
Experts identify the following shortcomings:
- Vulnerability in the TEA1 algorithm. It can be used to quickly crack encryption and intercept secret messages. Such a vulnerability is discovered when the encryption key is reduced to 32 bits, which is significantly less than the length of a regular key (80 bits). The researchers were able to crack such a key in less than a minute using a standard laptop and just four ciphertexts. TEA1 is intended for commercial use – for radios used in critical infrastructure around the world, including Europe, as well as for public safety, military and police.
- Vulnerability in handling timestamps and key streams: TETRA uses timestamps to synchronize communications between radios and base stations. However, these timestamps are transmitted in the clear, which allows an attacker to intercept them and use them to forge messages. A cybercriminal can use the intercepted timestamp to create a fake base station and send encrypted messages under the guise of a real station.
Vulnerabilities can be used for disinformation, sabotage, or espionage, and they pose a real threat to public safety systems and critical infrastructure networks.
Researchers do not know if the vulnerabilities they have discovered are actively exploited. But they found evidence in the leaks of Edward Snowden which indicate that the NSA and the UK intelligence agency (GCHQ) used TETRA for eavesdropping in the past.
Government and private organizations around the world have been alerted to the vulnerabilities found, and they are now working to eliminate their consequences. The researchers plan to present their findings next month at the BlackHat security conference in Las Vegas.