Security researchers have made a significant discovery regarding the widely used TErrestrial Trunked RAdio (TETRA) standard in radios worldwide. They have uncovered multiple vulnerabilities in the underlying cryptography and its implementation, which could potentially allow the decryption of sensitive information transmitted through these radios.
According to the researchers, the vulnerabilities may have led to an intentional backdoor in the encrypted radios used by police, military and critical infrastructure entities globally. This backdoor might have existed for decades, posing a serious security risk by potentially exposing valuable data.
The organization responsible for maintaining the TETRA standard refutes the term "backdoor" and claims that the standard was designed for export controls to determine encryption strength. However, the end result is radios whose encrypted traffic can be decrypted within a minute using consumer hardware, such as an ordinary laptop.
The research represents the first public and comprehensive analysis of the TETRA standard in over two decades since its inception. While not all TETRA users employ the specific encryption algorithm (TEA1) affected by the backdoor, the researchers found other vulnerabilities across TETRA that could enable historical decryption of communications and deanonymization.
The impacted users of TETRA-powered radios include national police forces and emergency services in Europe, military organizations in Africa, train operators in North America and critical infrastructure providers in other regions.
The research findings will be presented by the cybersecurity firm Midnight Blue at the upcoming Black Hat cybersecurity conference. The details of the talk have been kept secret due to an extended disclosure process involving notifying affected parties about the vulnerabilities for over a year and a half.
TETRA, created by the European Telecommunications Standards Institute (ETSI) in 1995, is not open-source and relies on proprietary cryptography. The researchers managed to access the cryptographic component by exploiting vulnerabilities in the radio's interface, eventually revealing a series of vulnerabilities called TETRA: BURST.
The most significant finding was related to the TEA1 encryption algorithm, where the researchers discovered a "secret reduction step" that greatly reduces the initial key's entropy. As a result, an attacker could decrypt intercepted traffic using readily available consumer-level hardware and a cheap software-defined radio dongle.
Although some radio manufacturers have released firmware updates in response to the researchers' findings, they recommend users either switch to a different TEA cipher or implement additional end-to-end encryption for communications. Experts hope that this incident will prompt the industry to move away from closed, proprietary crypto in favor of open, publicly scrutinized standards.
