TETRA Radio Vulnerabilities

12176559283?profile=RESIZE_400xFive vulnerabilities, two deemed critical, have been found in the Terrestrial Trunked Radio (TETRA) standard.  TETRA is the most widely used police radio communication system outside the US.  It is used by fire and ambulance services, transportation agencies, utilities, military, border control, and customs agencies in more than 100 nations globally and by the UN and NATO.

The vulnerabilities were discovered by cybersecurity firm Midnight Blue (Amsterdam, Netherlands) with funding from NLnet as part of the EU NGI0 PET fund.  Midnight Blue reverse-engineered the proprietary TETRA Authentication Algorithm (TAA1) and TETRA Encryption Algorithm (TEA) and analyzed them for the first time.  In this process, they discovered a series of vulnerabilities called TETRA: BURST.

The firm has announced basic details but will provide full technical details during upcoming security conferences, including Black Hat and DEF CON, in August 2023.  “We have spent over two and a half years on our TETRA research, including a coordinated disclosure process that lasted over one and a half years.  We will fully disclose our research results and present our work at various conferences throughout the year,” say the researchers.[1]

The five vulnerabilities are:

  • CVE-2022-24401, critical: allows decryption oracle attacks leading to a loss of confidentiality and authenticity.
  • CVE-2022-24402, critical: a backdoor in the TEA1 encryption algorithm allows trivial brute-forcing on keys leading to a loss of confidentiality and authenticity.
  • CVE-2022-24404, high: lack of authentication on AIE, allowing malleability attacks leading to a loss of authentication.
  • CVE-2022-24403, high: weak obfuscation on radio identities allowing user deanonymization.
  • CVE-2022-24400, high: a flaw in the authentication algorithm can lead to a loss of authenticity and a partial loss of confidentiality.

Midnight Blue calls out the first and third vulnerabilities as of immediate concern. “This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.”

The company also raised concerns over the TEA1 encryption backdoor, which could pose a serious risk to critical infrastructure operators and their industrial control systems (ICS).  “By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic for monitoring and controlling industrial equipment.  For example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN).  Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulating railway signaling messages,” Midnight Blue explains.  Patches and mitigations (such as the use of E2EE) are specified.

William Wright, CEO of Closed Door Security, commented, “This is an extremely concerning discovery from security researchers.  No critical or trivial system should ever be marketed or deployed without continuous and proactive security testing.”  It seems that too much reliance on security was placed on the proprietary nature of the TETRA standard.

He points out that since criminals are constantly looking for weaknesses in systems, they can exploit to gain access to data, there is a possibility these bugs have already been discovered and used in the wild.  “Furthermore,” he adds, “given the types of industries that rely on TETRA radio communications, this could have given adversaries access to sensitive information that could be extremely dangerous in their hands.”

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Reporting: https://www.redskyalliance.org/
Website: https://www.redskyalliance.com/
LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632  

 

[1] https://www.securityweek.com/tetra-radio-standard-vulnerabilities-can-expose-military-comms-industrial-systems/

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!