A radio communications protocol used by emergency services worldwide harbors several critical vulnerabilities that could allow adversaries to spy on or manipulate the transmissions, researchers found.
Terrestrial Trunked Radio (TETRA) is a radio voice and data standard mainly used by emergency services, such as police, fire brigade, and military, as well as in some industrial environments.
Multiple TETRA secure channels offer key management, voice, and data encryption, while the TETRA Encryption Algorithm (TEA1) implements the actual encryption algorithms that ensure that data is confidentially communicated over the air.
Researchers from Midnight Blue Labs found five vulnerabilities in TETRA — with CVE-2022-24402 and CVE-2022-24401 both rated as critical. Collectively, the zero-day vulnerabilities are known as "TETRA:BURST." The researchers will present their findings at Black Hat USA next month.
Depending on infrastructure and device configurations, these vulnerabilities allow for real-time or delayed decryption, message injection, user deanonymization, or session key pinning attacks. Practically, these vulnerabilities allow high-end adversaries to listen in on police and military communications, track their movements, or manipulate critical infrastructure network communications carried over TETRA.
Time for TEA?
In a demonstration video of CVE-2022-24401, researchers showed that an attacker would be able to capture the encrypted message by targeting a radio to which the message was being sent. Midnight Blue founding partner Wouter Bokslag says that in none of the circumstances for this vulnerability do you get your hands on a key: "The only thing is you're getting is the key stream, which you can use to decrypt, arbitrary frames, or arbitrary messages that go over the network."
A second demonstration video of CVE-2022-24402 reveals that there is a backdoor in the TEA1 algorithm that affects networks relying on TEA1 for confidentiality and integrity. It was also discovered that the TEA1 algorithm uses an 80-bit key that an attacker could do a brute-force attack on, and listen in to the communications undetected.
Bokslag admits that using the term backdoor is strong, but it is justified in this instance. "As you feed an 80 bits key to TEA1, that flows through a reduction step and which leaves it with only 32 bits of key material, and it will carry on doing the decryption with only those 32 bits," he says.
Bokslag says this weakening of the cipher would allow an attacker to exhaustively search through the 32 bits, and decrypt all the traffic with very cheap hardware. This would only require a $10 USB dongle to receive signals, and using a standard laptop an attacker would have access until the key changes — and in many cases, the key is never changed, so the attacker would have permanent access to communications.
Why Research This in the First Place?
Admitting that "proprietary cryptography has repeatedly suffered from practically exploitable flaws which remain unaddressed until disclosed," the researchers said their goal was to open up TETRA for public review, perform a risk analysis, resolve issues, and create a level playing field.
The researchers also said the intention was to gain a better understanding of TETRA security, ensure identified issues are resolved and promote the use of open cryptography.
"The interesting thing about this technology is that the use cases which are quite sensitive, and the cryptography that's supposed to secure communications is secret," Bokslag says.
First published in 1995 by the European Telecommunications Standards Institute (ETSI), TETRA is one of the most widely used professional mobile radio standards — especially for law enforcement — and has been in continuous use for decades for voice, data, and machine-to-machine communications.
While most of the TETRA standard is open, its security relies on a set of secret, proprietary cryptographic algorithms that are distributed only under strict nondisclosure agreement to a limited number of parties. The researchers also found a mention of TETRA in the 2013 Edward Snowden leaks, especially in the interception of TETRA communications.
Fixing the Holes
Bokslag admits some of the issues quite easily can be resolved through firmware updates, including CVE-2022-24401. However, CVE-2022-24402 is not fixable through firmware updates because they are part of the standard.
"You cannot work around it," Bokslag says. "For TEA1, you could apply end-to-end encryption as a solution, but it's going to be very costly and very labor intensive to roll out."
Users in more than 100 countries will be affected by these vulnerabilities, as well as most sectors of industry, including law enforcement as well as military and intelligence services, he says. The researchers have been in contact with manufacturers and network operators in order to help them resolve these issues as much as they can. "This has been the first public in-depth security analysis of TETRA in its existence, which is now almost 30 years," he says.
"No one is allowed to know what TEA [versions] 5, 6, and 7 will involve," Bokslag adds. "The authentication mechanisms are once again going to be to be secret. There are not yet any solutions in the market, but manufacturers are working on them."
Bokslag says manufacturers have developed patches for the vulnerabilities in response to the research. Midnight Blue recommends migrating from TEA1 to another TEA cipher for now.