Encrypted communications are considered vital to many organizations, from military users to law enforcement officials. Meanwhile, the ability to eavesdrop on these communications is of great value to groups such as intelligence agencies and criminal operators. Thus, there is a constant arms race between those who develop encryption and those who are desperate to break it.
In a startling revelation, cybersecurity researchers have discovered a potentially intentional backdoor in encrypted radios using the TETRA (TErrestrial Trunked RAdio) standard. TETRA equipment is used around the world by law enforcement agencies, military groups and critical infrastructure providers, some of which may inadvertently broadcast sensitive conversations for decades.
Sneaky, sneaky
If you’re not familiar with TETRA, it’s a backbone radio system designed for professional use by groups such as government agencies, emergency services, infrastructure and rail operators, as well as military and law enforcement. It uses Time Division Multiple Access (TDMA) to share channels and is capable of carrying both voice and digital data. This may interest you : Aman-2021 Naval Exercise: Maritime Diplomacy – Modern Diplomacy. It can be used in direct communication modes or in a switched trunking system where infrastructure is available. By virtue of its network nature, it can provide much greater communication without the usual range limitations of handheld radios.
Researchers at Midnight Blue, a cybersecurity firm, were the first to perform a detailed, publicly available analysis of the TETRA standard that revealed vulnerabilities in the underlying cryptography. TETRA has a number of encryption methodologies, all proprietary. Researchers found a serious vulnerability specifically in the TEA1 encryption algorithm.
Although not all TETRA radio users use TEA1, those who do are likely to be at risk of having their communications intercepted and decrypted. TEA1 is intended primarily for commercial users. The three other encryption methods, TEA2, TEA3, and TEA4, have different intended applications. TEA2 is reserved for police, emergency services, military and intelligence users in Europe only. TEA3 is limited to similar users in countries considered “friendly” by the EU, such as Mexico and India. Users in other countries, such as Iran, are forced to settle for TEA1. TEA4 is another algorithm intended for commercial users, although it is hardly used, according to Midnight Blue.
The list of TETRA users is long, with the system in use in 114 countries by 2009. While many have access to the stronger encryption methods, few would like to hear that they are using a compromised radio system. TETRA is used by police forces in the Middle East, including Iran, Iraq, Lebanon and Syria, along with the Polish and Finnish military forces. The Dutch police are also a major user, and Midnight Blue met directly with the organization to discuss the breach.
The back door
The vulnerability, which has been dubbed a “backdoor” by researchers, is essentially a “secret reduction step” in the encryption process. This reduces the entropy of the initial encryption key from 80 bits to just 32 bits. This makes cracking the key trivial with a modern computer. It allows an attacker to easily decrypt traffic with consumer equipment and a software-defined radio dongle for interception. This decryption process is not only fast, taking less than a minute, but also undetectable when performed by a passive listener.
It should be noted that the proprietary nature of TETRA means that public analysis of its encryption is difficult to pursue. The Midnight Blue researchers got around this by simply purchasing a Motorola MTM5400 TETRA radio from eBay to perform their analysis. Code execution was achieved on the main application processor through a vulnerable interface, which then allowed the team to dive into the operation of the signal processing chip. The team was then able to reverse-engineer the cryptographic operations going on inside and crack the TEA1 encryption wide open. The team has named the series of vulnerabilities TETRA:BURST.
The controversy surrounding the conscious or unconscious existence of this backdoor has raised eyebrows. While researchers insist on its conscious design, the European Telecommunications Standards Institute (ETSI), responsible for the TETRA standard, refutes this claim, attributing it instead to export controls dictating encryption strength.
According to reports published by With cableThe 32-bit limitation in the TEA1 algorithm was intended to meet export requirements for equipment to be used outside of Europe. Brian Murgatroyd, chairman of the body responsible for TETRA at ETSI, said that at the time of development in 1995, 32-bit keys were still considered relatively secure. He also argued that at most it would allow decryption and interception of communications. However, the Midnight Blue researchers point out that TETRA does not digitally sign or authenticate individual transmissions. Thus, once a radio is authenticated in a TETRA network, it can inject any desired transmissions at will.
However, this is a curious claim given that the key reduction hack the group found was not publicly available. Ostensibly, TEA1 relies on 80-bit encryption. Nevertheless, there are hints that this weakness was well known back in 2006. Leaked diplomatic cable on the US pushback over the export of Italian TETRA radio equipment to Iran noted that the encryption involved was “less than 40 bits”, a threshold considered below the level suitable for military use.
Regardless of intent, the possibility of the backdoor’s existence and potential exploitation for decades cannot be ignored.
What does this revelation mean for the countless organizations using standard TETRA radios? For starters, it points to a significant and alarming risk to public safety and national security. Confidential and sensitive information may have been or may still be intercepted and decrypted by potential adversaries. This finding also sheds light on the inherent vulnerabilities in relying on private cryptographic systems that cannot be easily verified by outside security experts. It also shows how international relations play a big role in the export of technology and tells us how little different countries really trust each other.
Organizations affected by this vulnerability have significant challenges. First, they must determine the extent of potential breaches that may have occurred due to this backdoor. Given that this backdoor has existed for decades, this could prove to be a tall order with far-reaching consequences. Additionally, these organizations will need to plan immediate countermeasures, such as deploying firmware updates and migrating to other TEA ciphers or implementing end-to-end encryption, to secure their communications. It should be noted that Midnight Blue had long planned a talk at the 2023 Black Hat event on this very topic, but it was listed under a redacted name to protect TETRA users while the group discloses information to affected parties.
However, the problem is deeper than simply fixing this vulnerability. The discovery further fueled the debate over the use of “closed, proprietary crypto” versus “open, publicly controlled standards.” In the interest of avoiding similar security pitfalls in the future, organizations may need to re-evaluate their security infrastructure and move towards adopting open cryptographic systems that can be verified by external experts and the wider security community.
In conclusion, this revelation serves as a stark reminder of the inherent risks of proprietary cryptography and the urgent need to move toward more open, transparent, and verifiable security standards. After all, in an increasingly interconnected world, the cost of cybersecurity complacency can be catastrophically high.
Comments are closed.