20.5k unique visitors in the last 3 days

Serious Privacy Flaws Found in Comms System Used by Police and Other Key Services Worldwide

TETRA is an ETSI system for secure comms used in over half of all countries. Dutch researchers identified five vulnerabilities.

There has recently been a lot of fuss about law enforcement agencies wanting new backdoors that would allow them to decrypt private communications. So it must come as an embarrassment that many police forces and other vital services have spent the last quarter of a century communicating through a system that is supposed to have end-to-end encryption but which contains serious security flaws, including a backdoor that was intentionally included in one specification. Wired reported that a small team of Dutch security researchers called Midnight Blue have identified five vulnerabilities with the TETRA terrestrial trunked radio system developed by the European Telecommunications Standards Institute (ETSI), including a backdoor that would have been known to TETRA vendors. However, it is not clear if all vendors have taken sufficient steps to warn customers and upgrade systems to address the vulnerabilities.

According to Wired, the backdoor will be a problem for commercial users of TETRA who rely on the TEA1 encryption algorithm; different TEA algorithms are used in systems for other kinds of customers. Such commercial businesses typically operate energy infrastructure, railways and other forms of public and freight transport. The backdoor sits within encryption algorithms embedded in radio devices using the TETRA standard. If exploited, the consequences could be severe.

It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipelines flows, or reroute trains.

The TEA encryption algorithms use 80-bit keys as standard but TEA1 has a feature which reduces the key to 32 bits. This is insufficient given the degree of computing power now available to anyone who can afford a laptop. The Midnight Blue website describes the shortened TEA1 key as…

…trivially brute-forceable on consumer hardware in minutes.

A representative of ETSI has defended the 32-bit encryption by suggesting bad actors would ‘only’ be able to intercept voice and data comms between base stations and the devices authenticated to the network. However, some security experts say that once the key is cracked then hackers would be able to authenticate their own devices to the same network, allowing them to send their own communications too.

A different vulnerability affects all versions of TETRA, including those exclusively sold to police forces, intelligence services, military forces, prisons and emergency services. Dutch authorities assumed responsibility for warning counterparts worldwide after they learned from the researchers that this vulnerability affects systems used by their police, fire service, ambulances and Ministry of Defense. Per Midnight Blue, the root of this vulnerability is that:

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

In other words, the time when communication occurs determines which characters are used for encrypting the comms between all the devices operating at that moment. Both a base station and any connected radio need to synchronize to the same time in order to communicate with each other. If a hacker intercepted the unencrypted comms about the network time, they could then use their own systems to impersonate a base station. The bogus base station would be able to fool any connected devices into believing the time is whatever the hackers say it is. Knowing the timestamp that applies to the comms received from a radio device gives the hackers a crucial advantage when they seek to decrypt the messages received from connected devices.

Midnight Blue has promised to reveal more details about their TETRA research next week, during a ‘Redacted Telecom Talk’ at Black Hat Las Vegas. In the meantime, you can learn more about the other vulnerabilities they identified from the Midnight Blue website and from this article in Wired.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email