Midnight Blue discovers more TETRA vulnerabilities

Dutch security consultancy Midnight Blue has identified new security vulnerabilities in the TETRA standard, including the elusive end-to-end encryption (E2EE) mechanisms that are commonly encountered in sensitive use cases. The news comes two years after the company released five vulnerabilities in the TETRA standard, which it dubbed TETRA:BURST; these latest vulnerabilities have thus been named 2TETRA:2BURST.

TETRA (Terrestrial Trunked Radio) is a radio standard used for voice and data transmission in over 100 countries, including in a machine-to-machine capacity, for critical communications such as emergency response, industrial equipment, military comms, transport and critical infrastructure. It was standardised in 1995 by the European Telecommunications Standards Institute (ETSI) and is now the most widely used police radio communication system.

ETSI standardised the TETRA Air Interface Encryption (AIE) mechanism, facilitating encryption between the mobile radio and the infrastructure, which Midnight Blue previously assessed as part of its TETRA:BURST research. On top of the AIE encryption, an additional layer of security (TETRA E2EE) may be used for the most sensitive use cases, such intelligence agencies, special forces and covert units. The TETRA E2EE protocols are defined by The Critical Communications Alliance (TCCA) in a series of Security & Fraud Prevention Group (SFPG) recommendation documents; vendor implementations, however, may differ, and solutions are sometimes mutually incompatible.

While the E2EE mechanisms are typically only available under highly restrictive NDAs, Midnight Blue managed to obtain and reverse-engineer the Sepura Embedded E2EE solution, a popular software-based implementation based on Texas Instruments’ OMAP-L138 platform, as it believes this implementation closely adheres to the SFPG’s recommendations; it is therefore likely that other E2EE implementations are affected by these or similar issues. The company was granted funding by the non-profit NLnet Foundation as part of its European Commission-supported NGI0 Entrust fund.

The identified vulnerabilities — which constitute the result of about one year of research followed by a six-month coordinated disclosure process — are outlined below.

Vulnerability	Description	Severity	Impact	Adversary
CVE-2025-52940	TETRA end-to-end encrypted voice streams are vulnerable to replay attack. Furthermore, an attacker with no knowledge of the key may inject arbitrary voice streams that are played back indistinguishably from authentic traffic by legitimate call recipients.	Low	Loss of authenticity	Active
CVE-2025-52941	TETRA end-to-end encryption algorithm ID 135 refers to an intentionally weakened AES-128 implementation which has its effective traffic key entropy reduced from 128 to 56 bits, rendering it vulnerable to brute force attacks.	Critical	Loss of confidentiality/integrity	Passive/active
CVE-2025-52942	End-to-end encrypted TETRA SDS messages feature no replay protection, allowing for arbitrary replay of messages towards either humans or machines.	Low	Loss of authenticity	Active
CVE-2025-52943	TETRA networks that support multiple AIE algorithms are vulnerable to key recovery attacks since the SCK/CCK network key is identical for all supported algorithms. When TEA1 is supported, an easily recovered TEA1 key (CVE-2022-24402) can thus be used to decrypt or inject TEA2 or TEA3 traffic on the network.	Critical	Loss of confidentiality/integrity	Passive/Active
CVE-2025-52944	The TETRA protocol lacks message authentication and therefore allows for the injection of arbitrary messages such as voice and data. Message injection is possible regardless of whether client authentication is enforced by the network.	Critical	Loss of authenticity/partial loss of confidentiality	Active
MBPH-2025-001	ETSI’s fix for CVE-2022-24401 is ineffective in the prevention of keystream recovery attacks.	Critical	Loss of confidentiality/authenticity	Active

All listed vulnerabilities were validated in practice and found exploitable through practical experiments carried out either on Midnight Blue’s lab set-up with a real TETRA base station or on real-world networks. Indeed, the company has recorded several demonstration videos: the first demonstrates E2EE voice injection (CVE-2025-52940) on its lab set-up using Sepura Gen 3 handheld radios, showing the injection of attacker-controlled voice into an end-to-end encrypted talkgroup; the second demonstrates packet injection (CVE-2025-52944) in the context of an OT scenario with maliciously injected SCADA telecontrol traffic; and the third demonstrates how ETSI’s mitigation for keystream recovery attack (CVE-2022-24401) is insufficient.

Impact

According to Midnight Blue, the impact of the 2TETRA:2BURST vulnerabilities depends on the use cases and configuration aspects of each particular TETRA network, bearing in mind the generally very high security requirements of those who decide to adopt TETRA E2EE solutions. Voice replay or injection scenarios (CVE-2025-52940) can cause confusion among legitimate users, which can be used as an amplifying factor in a larger-scale attack. TETRA E2EE users should in any case validate whether they may be using the weakened 56-bits variant (CVE-2025-52941). Furthermore, the E2EE SDS replay vulnerability (CVE-2025-52942) may be serious where end-to-end encrypted SDS messages are used for carrying control data. Lastly, the TETRA AIE provides some degree of additional protection, although many caveats exist. These range from the backdoored TEA1 cipher (CVE-2022-24402) to several keystream recovery attacks (CVE-2022-24401, MBPH-2025-001) and injection vulnerabilities.

In addition, the company demonstrated the feasibility of malicious packet injection on TETRA networks (CVE-2025-52944). This finding impacts all TETRA users, as signalling traffic may be forged by an attacker. Downlink traffic injection is typically feasible using plaintext traffic, as Midnight Blue found radios will accept and process unencrypted downlink traffic even on encrypted networks. For uplink traffic injection, keystream needs to be recovered. Multiple methods exist, ranging from key recovery (for the TEA1 key) to keystream recovery (for TEA2, TEA3 and others) to coercing a radio to reveal uplink keystream through injection of carefully chosen downlink traffic. Such attacks should be prevented through ETSI’s mitigation for CVE-2022-24401; however, this fix was demonstrated to be insufficient (MBPH-2025-001), which implies that radios remain vulnerable to keystream recovery attacks.

The impact of CVE-2025-52943 is critical for networks that attempt to mitigate the vulnerability of TEA1 (CVE-2022-24402) through employing a dual-cipher (for example, TEA1 and TEA3) network. In such a scenario, the TEA3 network key can be trivially recovered, breaking confidentiality and exposing the network to packet injection attacks. Only when TEA1 is fully disabled, and all network keys have subsequently been renewed, does the risk cease to exist.

Networks that use TETRA in a data carry capacity are especially impacted due to the potential risks associated with packet injection, the company said. This allows attackers to not only intercept radio communications of private security services at harbours, airports and railways, but to inject malicious data traffic used for monitoring and control of industrial equipment. Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulating railway signalling messages.

Midnight Blue presented some of its findings at the Black Hat USA security conference on 7 August (the presentation slides are now publicly available) as well as WHY2025 on 11 August. The company’s implementation of the Sepura Embedded E2EE cryptographic primitives and protocol will be made public shortly, together with a technical white paper. Publication is currently scheduled for the end of August.

Image credit: iStock.com/WhataWin