TETRA radio comms used by emergency services vulnerable to man-in-the-middle attacks
Take action: Custom and proprietary cryptography is always a terrible idea. No matter how good you think you are at cryptography math, you are still one person and can make mistakes, or be pressured into designing something that's intentionally less secure. Always use well known and publicly reviewed cryptography.
Learn More
Midnight Blue, a security firm based in the Netherlands, has reported five vulnerabilities affecting Terrestrial Trunked Radio (TETRA), a widely used communication system in Europe, the United Kingdom, and various other countries by government agencies, law enforcement, and emergency services organizations.
The primary concern raised by Midnight Blue is the potential interception or manipulation of messages for law enforcement, military, and critical infrastructure operators using TETRA networks.
The vulnerabilities, collectively referred to as TETRA:BURST, pose significant security risks as they could potentially allow attackers to decrypt communications in real-time or later, inject unauthorized messages, deanonymize users, and even cause uplink interception.
Of the five vulnerabilities, two are classified as critical.
- CVE-2022-24401 allows attackers to perform an oracle decryption attack, exposing text, voice, or data communication. This flaw arises due to the reliance of the Air Interface Encryption (AIE) keystream generator on publicly broadcast network time without encryption.
- CVE-2022-24402 relates to the TEA1 encryption algorithm and involves a backdoor that reduces the original 80-bit key to a size that can be easily brute-forced on consumer hardware within minutes.
There are three less-critical flaws that could lead to malleability attacks and radio identity tracking or could compromise confidentiality through flawed authentication algorithms.
- CVE-2022-24404
- CVE-2022-24403
- CVE-2022-24400
The researchers suggest that the intentional weakening of the TEA1 cipher is evident and may have been designed deliberately. Secret, proprietary cryptography has been a common theme in previous vulnerabilities affecting various communication systems, and TETRA is no exception. However, due to the secrecy surrounding TETRA's security, it had not been subjected to in-depth public security research until now.
The disclosure of these vulnerabilities comes after Midnight Blue reverse-engineered and publicly analyzed the TAA1 and TEA algorithms, leading to the discovery of the TETRA:BURST flaws. The European Telecommunications Standards Institute (ETSI), which oversees the TETRA specification, is yet to respond to the reported vulnerabilities.
