After Critical Bug Disclosures, TETRA Emergency Comms Code Goes Public

The encryption algorithms used to secure emergency radio communications will now soon be released to the public domain, with the aim of encouraging code review and bug hunting.

The news comes after multiple vulnerabilities were found in TETRA, short for Terrestrial Trunked Radio, which is a radio voice and data standard mainly used by emergency services, such as police, fire brigade, and military, as well as in some industrial environments. The bugs were found by Midnight Blue Labs earlier this year, and the research was presented at Black Hat USA, showcasing additional zero-day vulnerabilities that could allow anyone to spy on or manipulate transmissions. 

This decision to go public is a complete 180-degree turn for standard-maintainer ETSI, which originally pushed back against any claims of vulnerabilities within TETRA when they were initially found, claiming that the work to enhance the standard was already underway.

Since then, a technical committee overseeing the TETRA standard met in October to decide on making the algorithms open to the public. Ultimately, the group came to a unanimous decision to open-source all of the TETRA Air Interface cryptographic algorithms. 

Brian Murgatroyd, an ESTI committee chairman, noted that the meeting was attended by a substantial amount of the TETRA community, including operators, users, manufacturers, and governments, and that "following publication of the algorithms, we are open to academic research for independent reviews."

The algorithms will enter the public domain alongside the standard's original authentication and key management specification (TAA1), and a the new authentication and key management specification, TAA2.

As yet, no date has been put in place for when the algorithms will become accessible.