Five TETRA vulnerabilities found, as full findings released

Dutch security consultancy Midnight Blue has released the full details surrounding its discovery of five vulnerabilities in the TETRA standard, with the embargo on the company’s technical research having been lifted this week. The collection of vulnerabilities, named TETRA:BURST and first publicly reported by the company last month, are claimed to allow for real-time decryption, message injection and user de-anonymisation.

TETRA (Terrestrial Trunked Radio) is a radio standard used worldwide for critical communications such as emergency response, industrial equipment, military comms, transport and critical infrastructure. It was standardised in 1995 by the European Telecommunications Standards Institute (ETSI) and has since been deployed in over 100 countries, yet Midnight Blue says the standard has never been subjected to in-depth public security research until now.

At its core, Midnight Blue explains, TETRA security relies a set of secret, proprietary cryptographic algorithms that are only distributed under strict non-disclosure agreement to a limited number of parties. Midnight Blue researchers believed this reliance on secrecy was not good practice, and that it is better to have open systems that can be prodded and tested by security experts.

The algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for air interface encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys — TEA1 and TEA4 were intended for commercial use and restricted export scenarios, while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.

Midnight Blue was granted funding to investigate TETRA by the non-profit NLnet Foundation, as part of the European Commission-supported NGI0 PET fund. Working under the project name RE:TETRA, the consultancy managed to reverse-engineer and publicly analyse the TAA1 and TEA algorithms — and as a result discovered five vulnerabilities, two of which are deemed critical and most of which affect all TETRA networks. Depending on infrastructure and device configurations, these vulnerabilities allow for real-time decryption, harvest-now-decrypt-later attacks, message injection, user de-anonymisation or session key pinning. The vulnerabilities are listed below.

Vulnerability	Description	Severity	Impact	Adversary
CVE-2022-24401	The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.	Critical	Loss of confidentiality /authenticity	Active
CVE-2022-24402	The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.	Critical	Loss of confidentiality /authenticity	Passive/ active
CVE-2022-24404	Lack of ciphertext authentication on AIE allows for malleability attacks.	High	Loss of authenticity	Active
CVE-2022-24403	The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to de-anonymise and track users.	High	User de-anonymisation	Passive
CVE-2022-24400	A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.	Low	Loss of authenticity/ partial loss of confidentiality	Active

Of particular concern to Midnight Blue is CVE-2022-24402, a purpose-built backdoor for TEA1 which reduces the original 80-bit key, which is strong, to a 32-bit key. The researchers demonstrated the use of the backdoor in a video, taking about one minute to crack the key using an ordinary laptop. Once cracked, they could not only intercept all radio traffic but also communicate. Since TETRA is also used for machine-to-machine communication in industrial settings, this can be exploited to send harmful commands to machines, the company noted.

Midnight Blue first reported TETRA:BURST to the Dutch National Cyber Security Centre (NCSC) in December 2021; this was followed by a 1.5-year responsible disclosure process in which mitigation measures (including firmware patches and compensating controls) were shared with the relevant stakeholders. As per NCSC’s own guidelines, reporting of hardware and embedded systems vulnerabilities should take no more than six months; the delay was reportedly the result of the critical functions of the TETRA system, the complexity of addressing the vulnerabilities, and the difficulty tracking down TETRA’s many vendors and users. The public were finally notified of these issues by Midnight Blue on 24 July 2023.

ETSI has responded to the revelations by stating that it is continually evaluating its procedures and that work on enhancing the TETRA standard was in progress even before the researchers reached out with their findings. Indeed, ETSI claims the research affirms the overall strength of the TETRA standard, finding no weaknesses in the TEA2 and TEA3 algorithms. The institute did however acknowledge the need for some general areas for improvement in the TETRA protocol, as well as weaknesses in the TEA1 algorithm — which is classified for general use — and that these have been addressed or are in the process of being addressed.

According to ETSI, software patches from TETRA providers and migration to a new algorithm set released in October 2022, which includes TEA5, TEA6 and TEA7, mitigate the potential to discover the identities of mobile radio terminals by intercepting control messages from base stations and the potential to compromise encrypted keystreams by posing as base stations. Use of end-to-end encryption meanwhile mitigates the weakness in the TEA1 algorithm. ETSI also disputed the use of the term “backdoor” to describe the TEA1 vulnerability, noting that the TETRA security standards “are designed for and subject to export control regulations which determine the strength of the encryption. These regulations apply to all available encryption technologies.”

Midnight Blue presented its findings at the Black Hat USA security conference on 9 August — the day the technical research embargo lifted — and its presentation slides are now publicly available. In addition, the company is presenting an academic research paper at the USENIX Security Symposium on 11 August, which is also available to read. Implementation of the TETRA cryptographic primitives is available at the company’s GitHub repository.

Image credit: iStock.com/Chor muang