Did TETRA Have A Backdoor Hidden In Encrypted Police And Military Radios?

Encrypted communications are considered vital for many organizations, from military users to law enforcement officers. Meanwhile, the ability to listen in on those communications is of great value to groups like intelligence agencies and criminal operators. Thus exists the constant arms race between those developing encryption and those desperately eager to break it.

In a startling revelation, cybersecurity researchers have found a potentially intentional backdoor in encrypted radios using the TETRA (TErrestrial Trunked RAdio) standard. TETRA equipment is used worldwide by law enforcement agencies, military groups, and critical infrastructure providers, some of which may have been unintentionally airing sensitive conversations for decades.

Sneaky, Sneaky

Using an SDR and a regular laptop, TETRA transmissions using TEA1 encryption can be easily compromised. Credit: Midnight Blue

If you’re unfamiliar with TETRA, it’s a trunked radio system designed for professional use by groups like government agencies, emergency services, infrastructure and rail operators, and military and law enforcement. It’s uses time-division multiple access (TDMA) for channel sharing, and is capable of carrying both voice and digital data. It can be used in direct communication modes, or in a trunked system with switching where infrastructure is available. By virtue of its networked nature, it can provide far greater communication without the usual range limitations of handheld portable radios.

The researchers from Midnight Blue, a cybersecurity firm, were the first to perform a detailed, publicly-available analysis of the TETRA standard, which has turned up vulnerabilities within its underlying cryptography. TETRA features a number of encryption methodologies, all proprietary. The researchers uncovered a serious vulnerability specifically in the TEA1 encryption algorithm. 

Although not all TETRA radio users are using TEA1, those who do are likely at risk of having their communications intercepted and decrypted. TEA1 is primarily intended for commercial users. The three other encryption methods, TEA2, TEA3, and TEA4, have different intended applications. TEA2 is reserved for police, emergency services, military, and intelligence users in Europe only. TEA3 is restricted to similar users in countries considered “friendly” by the EU, like Mexico and India. Users in other countries, like Iran, are forced to make do with TEA1. TEA4 is another algorithm intended for commercial users, though is hardly used, according to Midnight Blue. 

The list of TETRA users is long, with the system used in 114 countries by 2009. While many have access to the stronger encryption methods, few would want to hear they use a compromised radio system. TETRA is used by police forces across the Middle East, including Iran, Iraq, Lebanon, and Syria, along with Polish and Finnish military forces. Dutch police are a major user too, and Midnight Blue has met directly with the organization to discuss the breach.

The Backdoor

The vulnerability, which has been termed a “backdoor” by the researchers, is essentially a “secret reduction step” in the encryption process. This reduces the initial encryption key’s entropy from 80 bits to just 32 bits. This makes cracking the key trivial with a modern computer. It enables an attacker to decrypt traffic easily with consumer-grade gear and a software-defined radio dongle for interception. This decryption process is not only swift, taking less than a minute, but also undetectable when done by a passive listener.

Notably, TETRA’s proprietary nature has meant that public analysis of its encryption has been difficult to pursue. Midnight Blue researchers got around this by simply purchasing a Motorola MTM5400 TETRA radio off eBay to perform their analysis. Code execution was achieved on the main application processor via a vulnerable interface, which then allowed the team to dive into the workings of the signal processing chip. The team was then able to reverse-engineer the cryptographic operations going on inside, and crack the TEA1 encryption wide open. The team have termed the series of vulnerabilities TETRA:BURST.

The team also developed a decryption oracle that affects all TETRA platforms, which can be circumvented with a firmware update. Credit: Midnight Blue

The controversy surrounding the intentional or unintentional existence of this backdoor has raised eyebrows. While the researchers insist on its deliberate design, the European Telecommunications Standards Institute (ETSI), responsible for the TETRA standard, refutes this claim, attributing it instead to export controls dictating encryption strength.

According to reports published by Wired, the 32-bit limit in the TEA1 algorithm was intended to meet export requirements for equipment to be used outside Europe. Brian Murgatroyd, chair of the body responsible for TETRA in ETSI, stated that at the time of development in 1995, 32-bit keys were still considered relatively secure. He also claimed that the most this would allow would be the decryption and eavesdropping of communications. However, Midnight Blue researchers point out that TETRA does not digitally sign or authenticate individual transmissions. Thus, once a radio is authenticated onto a TETRA network, it can inject any desired transmissions at will.

It’s a curious statement, though, given that the key reduction hack the group found was not publicly available. Ostensibly, TEA1 relied on 80-bit encryption. Regardless, there are hints that this weakness was well-known as far back as 2006. A leaked diplomatic cable regarding U.S. pushback on the export of Italian TETRA radio equipment to Iran noted that the encryption included was “less than 40-bits,” a threshold considered below the level suitable for military use. 

Regardless of intentionality, the possibility of the backdoor’s existence and its potential exploitation over decades cannot be overlooked.

What does this revelation mean for the countless entities using TETRA standard radios? For starters, it points to a significant and alarming risk to public safety and national security. Confidential and sensitive information could have been or could still be intercepted and decrypted by potential adversaries. This discovery also shines a spotlight on the inherent vulnerabilities in relying on proprietary cryptographic systems which cannot be easily scrutinized by external security experts. It also shows how international relations play a big role in technology exports, and tells us just how little different countries really trust each other.

The organizations affected by this vulnerability have significant challenges ahead. First and foremost, they need to determine the extent of potential breaches that might have occurred due to this backdoor. Given that this backdoor has been around for decades, this could be an arduous task with far-reaching implications. Additionally, these organizations will need to plan immediate countermeasures, such as implementing firmware updates and migrating to other TEA ciphers or applying end-to-end encryption to secure their communications. Notably, Midnight Blue has been long planning a talk at the 2023 Black Hat event on this very matter, but it has been listed under a redacted name to protect TETRA users while the group made disclosures to affected parties. 

However, the issue runs deeper than merely fixing this one vulnerability. The discovery has further fuelled the debate over the use of “closed, proprietary crypto” versus “open, publicly scrutinized standards.” In the interest of avoiding such security pitfalls in the future, organizations might have to reassess their security infrastructure and lean towards adopting open cryptographic systems, which can be vetted by external experts and the wider security community.

In conclusion, this revelation serves as a stark reminder of the inherent risks of proprietary cryptography and the urgent need for a shift towards more open, transparent, and scrutinized security standards. After all, in an increasingly interconnected world, the cost of complacency towards cybersecurity can be catastrophically high.

 

42 thoughts on “Did TETRA Have A Backdoor Hidden In Encrypted Police And Military Radios?

  1. How are the affected organizations planning to address the potential breaches and vulnerabilities resulting from the TETRA backdoor, and what steps are they taking to secure their communications going forward?

  2. > While the researchers insist on its deliberate design, the European Telecommunications Standards Institute (ETSI), responsible for the TETRA standard, refutes this claim, attributing it instead to export controls dictating encryption strength.

    First of all, I would like to make a vain last-ditch plea to try to save the meaning of the word “refute”. If you say somebody “refutes” a claim, it means that THEY DISPROVED IT AND YOU ACCEPT THAT THEY DISPROVED IT. Using it means that the person doing the “refuting” was RIGHT AS A MATTER OF FACT. If you do not mean to indicate that, you’re supposed to use “disputes”. Unfortunately this is probably a lost cause, since at some point journalists started copying each other in using it wrong, and I’m afraid the word is totally lost now.

    Secondly, that’s what a back door IS. Unless they specifically TOLD everybody they sold it to it that it was weak, it’s a back door. They’re not saying there’s no back door. They’re OPENLY ADMITTING that they intentionally put in a back door, and giving an excuse.

    Oh, and that bit about people considering 32 bits secure in 1995 is a barefaced lie. Apparently this “Brian Murgatroyd” person is a real piece of garbage.

    1. A noble defense of the definition of a word (however futile) warms my heart every time, and so does the calling-out of duplicitous PR from companies or regulatory bodies.

    2. Secondly, I would like to make a vain last-ditch plea to people who MAKE UNNECESSARY USE OF CAPITALS in posts. There was once a time that it was considered bad netiquette (anyone remember that?) and the textual equivalent of shouting to make a point. Let’s keep online discourse as calm, kind and sane as possible, please. If you came across someone RANDOMLY SHOUTING LIKE THIS in real life you’d cross the road to avoid them.

      This post is brought to you by the em tag.

      1. This isn’t the first time I’ve heard about buyers of crypto being surprised by that… which means that at least some people did *not* know, and they needed to specifically bring it to the attention of each buyer. Especially after all that sstuff had faded from the radar over the course of 25 years. They did not meet their ethical obligation to make sure their customers were properly informed. And yes, they *did* have such an obligation.

        Also, the “export limit” was 40 bits, not 32.

  3. This is what export controls mean. Maybe they weren’t explicit about it, but if you are in certain countries, any device you import in from the US, EU, or similar places is going to give you limited security. It would be illegal to export them at all otherwise. It’s not a back door if that’s the design intent.

    1. Only half true, if a device is marked consumer electronics there is a limit on encryption level, slightly better encryption is possible for only industrial devices…
      You can import and sell top secure devices, only you need to prove it’s sold to a limited marked and without the possibility to resell these devices.

      1. Why would any sane person buy such a device from a nation that openly said that’s what they are doing.

        Even in the USA, get your crypto software from somewhere not controlled by the NSA. Open source is hitting on all cylinders here, just be conscious of GPL, so you can stay in business. No reason to hit that ghetto. BSD licensed!

  4. I would also say that monocultures in the world is the major problem. Greater diversity (polyculture systems) would help make the cost to the intelligence community prohibitive.

    Imagine a world where two or more people communicating privately have the option to select from a list of thousands of encryption algorithms with full authentication, authorization, accounting. Ideally with the option to double or triple encrypt the data being transmitted with multiple encryption algorithms. Or even the ability to change the encryption algorithms used on every data packet transmitted.

    One major problem with central standards organisations is they they always produce solutions that are monocultures, which ultimately reduce costs for all intelligence communities around the world.

    1. Sounds like interoperability hell.
      So 100% vendor lock-in with patented algorithms and implementations.

      Amusingly TETRA DOES supports using other algos than the provided one’s.
      It can run on the radio firmware separately, as software on the TSIM (fancy TETRA SIM card) or as a hardware implementation on the TSIM.
      And that can then be used in E2EE mode so that even the network operator cannot open it while it is in transit.
      It’s just that people like interoperability and the option of having a heterogenous fleet of radios.
      So the standard algos are the most commonly used one’s.

      1. > Sounds like interoperability hell.
        If done well, it should be transparent.
        But think about it, does a police force based in the highlands of Scotland really need to be using the exact same encryption algorithms for 100% interoperability as a police officers in Rome ?

        1. They do, if they don’t want to pay extra for the priviledge of having a wide choise in equipment vendors and models.
          Instead of vendor lock in to their provider of their unique snowflake crypto system.

          That said, I think BOS in Germany runs their own crypto in a way that the handsets will not interop with Italians on that crypto suite.
          And they do even have theor own hardware revisions like Motorola MTP850FuG handhelds that are only manufactured for them.

          1. To get some things straight:

            Interoperability between countries with different cypher suites is defined in the ETSI TETRA standard by means of special gateways.

            The MTM850 has been sold all over the world but it’s outdated, out of production, out of service. We are currently on generation n+2. The radios with appendix FuG are technically the same as those without. Only the keys differ.

  5. Dang, this is gona make Motorola MTM5400 availability on eBay even worse now.
    It is among the best radios for making linkined amateur radio TETRA DMO single channel repeaters.
    As it can “join in” on the transmissions being repeated, unlike most other easily and affordable available options.
    So only a single radio and a suitable audio + PEI interface is required.
    Instead of one repeater radio and then a second radio for getting the demodulated audio to and from the repeater traffic.

    Anyone up for rewriting the protocol stack in hamtetra to be more sane?
    https://github.com/rats-ry/HamTetra
    Turns out that osmocom’s osmotetra was made for receiving TETRA and not for extending into a proper SDR DMO rpeater or TMO TBTS solution with strict timing requirements.

    The SDR DMO repeater works, but not reliably with all brands and models.

    Still, it is the only FOSS TETRA DMO implementation out there in the wild.

  6. ” 1995, 32-bit keys were still considered relatively secure” – no it wasn’t. It was known a the time as being extremely weak even with current hardware.

    I was doing a lot with encrypted stuff in 1995, and running into export warnings and harassment. One thing I had was a software product using the (then new) blowfish algorithm – thanks Bruce! – and not only did I get warnings that I wasn’t allowed to put it on a web site, I got yelled at to not distribute it even in my own country (Aus).. Which I did anyway (in Aus)..

    It was all stupid, as the algorithm had been published in DDJ, and any group who wanted to be able to encrypt files could just write their own program (and use the test data to check it).

    I can see exactly the same conversation going on with TETRA. But if a ‘bad’ country wants secure comms, it wouldn’t be that hard from them to roll their own solution – and no amount of export controls is going to stop it..

    1. And if IIRC, the Blowfish algorithm and OpenSSL implementation was developed outside of the US and not subject to its idiotic export restrictions. They wouldn’t have had a legal leg to stand on in countries where those restrictions were irrelevant.

  7. It would be interesting if the cyber security act will influence this… I mean, you , as am mfg, need to protect your customers private “data” (read l: information) now, it isn’t secure because of governmental influence… So there’s someone to sue because of “lost” private information and money (read engineering hours).

  8. Open but obscure and unscrutinized encryption is no better than proprietary encryption. Practically there’s no difference. Once either one of them are exposed, they either stand up, or fall. There aren’t enough skilled eyes to audit all systems. Proprietary but actively independently audited encryption systems not only have eyes on it, but also have the additional obscurity element, which will mean the only people attacking it are highly skilled. Script kiddies and those looking for quick payouts will look elsewhere. Open and actively audited systems are, as a practical matter, the same as audited proprietary systems. Again, in either case, if they’re broken the end effects are the same. Simply trying to argue that proprietary systems alone are inherently insecure is disingenuous. The key is having skilled eyes in either case… and having a security plan that doesn’t entirely depend on a single encryption system remaining secure now and in the future because it’s inevitable either some mistake is going to be found in the protocol or implementations, or someone is going to lose the keys.

    1. Skript kiddies will brag about their achievements, and people trying to make a quick buck likely have to take their ill-gotten warez to some market or other. In other words: They’ll act as a canary your system isn’t up to snuff. If you pay attention, you notice.

      The “highly skilled” people are those you _least_ want to crack your proprietary encryption, because they’ll take the intelligence yield and sit on it until the risk of detection is worth the gain. Or they’ll mitigate around it with “parallel construction” or somesuch, so you’ll never know you’ve been compromised, leaking secrets all over for those with eyes to see. Either case, you’ll end up properly fucked up.

      The thing about open encryption algorithms is that they tend to get a lot more scrutiny than proprietary ones, so that “oops, backdoor” is much more likely to get out. Proprietary encryption with private audits, well, who knows what the auditing company isn’t telling you. Like that they’re taking double the money from some TLAgency to neglect to mention something to you. Which could easily be worth it to them.

      So I think you missed a point or two in your argument. Or maybe you really don’t understand what’s really at stake here, which is not the encryption but the information that’s supposed to stay secret. Or perhaps you do, but you’re trying to pull a fast one, with the wool.

  9. So… they sold backdoored crypto to the Iranians. Seems like a good hack to me! I imagine listening in has saved a lot of lives over the years.

    The only issue is if the police and EU military algorithms have a backdoor. I’m guessing not.

  10. > Notably, TETRA’s proprietary nature has meant that public analysis of its encryption has been difficult to pursue.

    Wow, that’s silly. TETRA couldn’t be more open, you can get the specification for free, unlike ISO standards. The encryption is proprietary but it’s optional.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.