Vulnerabilities in TETRA radio networks
cryptomuseum.com> Two of the vulnerabilities are deemed critical. One of them appears to be an intentional backdoor [...] Reading the contents of a firmware upgrade is not trivial though, as it is heavily encrypted and relies on a Trusted Execution Environment (TEE), embedded in the core processor of the radio.*
I don't know whether the backdoor allegation is correct, but unfortunately we should treat opaque ostensible security with skepticism.
By their nature, such things often can be used for our protection at the same time they are secretly used against us.
Isn't the time for the generous qualifiers long past? Such, often, can, our protection, unfortunately, skepticism... There is a good track record by now. Something like:
"under the guise of protecting trade secrets and swear words in the code, the code encryption actually protects crappy code stuffed with vulnerabilities (i.e. future entry points available to the right friends and foes) and backdoors (some forgotten and some very much not)". And in this case "future" was a while ago.
The newsworthy item here is that this is an intentional backdoor. The wikipedia pages list the specific uses per country and department. https://en.wikipedia.org/wiki/Terrestrial_Trunked_Radio#Usag...
Do you remember when cryptography export was controlled? It was implemented by limiting key size to certain number of (effective) bits (of security). This suite is just a victim of that law, as it is a 1990s design.
It's not "just" a victim of that law unless they disclosed that the export cryptography protocol was trivially breakable. Export cryptography in the 1990s US was documented.
To quote https://www.cryptomuseum.com/crypto/algo/tea/1.htm:
> The algorithm was developed in 1996/97 at Philips Crypto BV in Eindhoven (Netherlands) as a consultancy job for ETSI-SAGE. As the algorithm is secret, it has never been submitted for peer-review or in-depth security analysis. Instead it was evaluated by other ETSI-SAGE members before being submitted as a formal ETSI standard. All members of the TEA family, use an 80-bit key, but in the case of TEA1 it is effectively reduced to 32 bits, which makes it vulnerable to a brute-force attack. According to one of the developers, this was mandatory to get the algorithm approved for export. It was part of the ETSI specification and was clearly visible in the code [3].
And when people were saying it was a stupid thing? This is one of the many examples that prove it.
Reading the wiki page, it seems to be a European standard. The law you are referring to sounds like a US law.
American encryption laws did not exist in a void. According to this website, one person who was working on the standard indicated that the key space had to be reduced to allow for export.
Take, for example, this old article discussing French law in the late 1900s: https://web.archive.org/web/20000118230559/http://www.opengr...
French cryptography exports required authorisation if the key strength was higher than 40 bits. With its 80 bit keys, the TETRA key space would've been too big to qualify for free exports.
As TETRA is part of an ETSI standard, it seems pretty likely to me that one of the European countries had a 32 bit restriction, and TETRA might as well pick the lowest common denominator when it comes to selecting a backdoor.
Sounds like they took the "roll your own and don't tell anyone how it works" approach. Security by obscurity is never security. History has shown that the open encryption standards are the most secure.
It's more of intentionally reducing the keyspace when generating keys. You can use weakly generated keys with industry-standard encryption algorithms. When your 4096-bit key is only 32 bits, it doesn't matter how well-trusted the algorithm is.
I just skimmed the paper but it looked to me like the key generation is the same in all profiles, but the TEA1 case has a key setup that compresses the generated key down to 32 bits.
The researchers found several problems. The backdoor seems intentional, but the others do not. They broke the TAA protocol.
And yet this one lasted 30 years. That's far longer than most open encryption algorithms continue to be deemed secure.
Obviously you can debate wether having it 'appear' secure for longer before someone publishes details of the flaw is more important or not...
> And yet this one lasted 30 years.
What do you mean lasted? If it is an intentional backdoor, it was vulnerable (to those who knew the backdoor) from day 1, so it was never secure let alone 30 years.
The TEA1 key compression weakness may have been known to intelligence agencies as early as 2006. See https://www.cryptomuseum.com/radio/tetra/ under section "Compromise".
It lasted 30 years in the sense it hasn't been publicly broken before.
We don't know how many intelligence agencies have found some of these and are happily listening in on "secure" communication, concealing that fact successfully.
This argument holds for any non-disclosed vulnerabilities, however.
Aren't these encrypted radios mostly for cops?
I mean, this is embarrassing - but who cares if the secret police are spying on the regular police?
Seems this was a general export item resulting from the 1990's crypto restrictions. The article mentions 100 countries using them. That would be agencies for whom it didn't matter, yes, (ambulance, corp security, etc) - but also everyone else who could not afford anything better but for whom security actually mattered. Not every country can afford to roll their own for this kind of stuff.
Does the FBI use these? The FBI is tasked with counter intelligence, and for a spy it could be highly relevant to learn if they are being targeted.
Federal stuff is going to be p25 phase 2, usually AES encrypted. Harris or Motorola, and at one point Thales (previously Racal.)
Some other brands end up being used like cobham or bendix but those are usually for aviation.
Tetra isn’t used by us LE. There are military encryption schemes, some of which are classified or controlled occasionally used by feds. Mostly tho you're looking at encrypted voice over data using mobile phones tho. Cellcrypt Inc, for example. Not many investigators lug around a radio to call agents in the field unless they need interoperability with other agencies or tactical communications using local infrastructure.
During the Obama inauguration the Thales liberty triband was used with AES. I think most agencies dumped the Thales Libntry for Harris tri band radios or Motorola now, which is sad because as a result the liberty is basically a dead end platform
Whose secret police are spying on the civilian police.
Is it more concerning if it’s the Russian secret police spying on the Kyiv police?
The publicly known attacks are recent, yes.
I know some group had it pwned at least 2010-ish. But won't elaborate.
And I'm sure they weren't the first, nor the only ones.
> And yet this one lasted 30 years.
Main goal of security through obscurity is the hindrance. Make it slower and harder to to detect possible vulnerabilities.
So indeed, there is something to debate.
But I guess it helps only against those with limited resources, not against nation states.
This is analogous to physical security doors. They are considered passive security, since they are a deterrent, and are rated by the numbers of hours they are expected to hold up against hand tools.
Is it still true that nation states are at the forefront of innovation and the largest security threats? At least in the United States, I'd be surprised to learn that their best and brightest minds are working in three letter government agencies when they can work in industry for more money and less bureaucracy.
Does one need the best and brightest minds to break crypto? Or does it just take a lot of full-time regular minds?
Because the academic/opensource communities famously don't have many hours to dedicate to the cause.
> Because the academic/opensource communities famously don't have many hours to dedicate to the cause.
People in academics dedicate their lifes for this. Who has more time?
Yes. Additionally, there are extensive public/private partnerships.
> Main goal of security through obscurity is the hindrance
No, the main goal is to obfuscate just how incompetent the authors of the spec are, and how clearly they illustrate Dunning-Kruger.
> No, the main goal is to obfuscate just how incompetent the authors of the spec are
If you agree that it obfuscates the meaning of the author’s work, then it also slows down other things recursively…
Obscurity should never replace security, but it can and does augment security by increasing the cost to even study the security.
The bigger issue here is that there's an intentional vulnerability.
Security has many layers. Obscurity can be one of them.
Obscurity can certainly be part of defense in depth, but it unequivocally does not make anything more (meaningfully) secure.
For example, hiding the fact that your data is encrypted with AES doesn’t make an attacker any more likely to be able to break AES. Similarly, hiding the fact that you use a weak encryption algorithm doesn’t keep an attacker from breaking it.
You can't easily put backdoors in cryptographic algorithms that can be audited
You certainly can.
^ this post brought to you by RSA, ANSI, ISO, NIST, the NSA, and the authors of DUAL_EC_DRBG
/s
... Which iirc was immediately identified as suspicious during auditing.
And yet became a official standard anyway, and was occasionally actually used, despite the fact that is was obviously backdoored to anyone who knew anything about (elliptic-curve) cryptography. (It's literally a textbook-exercise leaky RNG, of the sort that you would find under "Exercise: create a elliptic-curve-based RNG that leaks seed bits within N bytes of random data." in a actual cryptography textbook.)
You don't really need to understand elliptic curves to understand Dual EC. It's a public key RNG. The vulnerability is that there's a matching private key.
True, but my parenthetical was covering the opposite issue: it's possible to not realise DUAL_EC_DRBG is broken (rather than impossible to realise it) if your only knowledge of cryptography is, say, hash functions and stream ciphers (so you don't recognise public key cryptography from looking at it). It's unlikely, because DUAL_EC_DRBG is really obviously broken, but I wouldn't fault someone who knew nothing about elliptic-curve cryptography for missing it, even if they were familiar with other types of cryptography. (I would fault them for claiming that it's secure, rather than recognizing that they don't know enough to evaluate its security, but you can't conclude something's backdoored just from that.)
The assertion I was refuting was that they couldn't be easily inserted into an audited library, not that they wouldn't be detected.
The interview that is linked[0] in the footnotes of the article with the person from ETSI is absolutely wild... Some excerpts:
> kz (interviewer): How did it go about meeting those requirements, because that's the one they're saying has a backdoor in it. Was that the condition for export?
> BM (ETSI): Backdoor can mean a couple of things I think. Something like you'd stop the random number generator being random, for instance. [But] what I think was revealed [by the researchers] was that TEA1 has reduced key-entropy. So is that a backdoor? I don't know. I'm not sure it's what I would describe as a backdoor, nor would the TETRA community I think.
...
> KZ: People ... believe they're getting an 80-bit key and they're not.
> BM: Well it is an 80-bit long key. [But] if it had 80 bits of entropy, it wouldn't be exportable.
...
> kz: You're saying 25 years ago 32 bit would have been secure?
> BM: I think so. I can only assume. Because the people who designed this algorithm didn't confer with what was then EP-TETRA [ETSI Project-TETRA is the name of the working group that oversaw the development of the TETRA standard]. We were just given those algorithms. And the algorithms were designed with some assistance from some government authorities, let me put it that way.
...
> bm: That's what we now know yeah - that it did have a reduced key length.
> KZ: What do you mean we now know? SAGE created this algorithm but the Project-TETRA people did not know it had a reduced key?
> BM: That's correct. Not before it was delivered. Once the software had been delivered to them under the confidential understanding, that's the time at which they [would have known].
...
You've really got to wonder who at ETSI gave the thumbs up on doing this interview.
0 - https://www.zetter-zeroday.com/p/interview-with-the-etsi-sta...
The researchers added a footnote explicitly refuting the claim that 32 bit keys were secure 25 years ago, too.
> The Midnight Blue researchers have since demonstrated real-life exploitations of some of the vulnerabilities, for example at the 2023 Blackhat Conference in Las Vegas (USA). They have shown that TETRA communications secured with the TEA1 encryption algorithm can be broken in one minute on a regular commercial laptop and in 12 hours on a classic laptop from 1998 [III].
In the mid-late 90s, 40-bit encryption was common due to US export control restrictions, and even then, that was thought to be insecure against a nation state attacker.
In 1998, the EFF built a custom DES Cracker[0] for around $250k that could crack a 56-bit DES message in around 1 week. As was the custom at the time, they published the source code, schematics, and VHDL source in a printed book to evade (and, I guess, mock) export restrictions.
(If that's the case I'm thinking of) it was actually documented as a challenge to export restrictions, mocking them was merely a pleasant byproduct.
The EFF's legal challenge was essentially that if crypto is a munition, then this printed book explaining the crypto is also at least as much of a munition, if not more so. They gave the judge the choice between deciding that a printed book is some sort of deadly tool, or deciding that crypto wasn't conceptually a munition. Strangely, the judge ruled in the EFF's favor.
That was Phil Zimmerman’s book containing the PGP source whixh was published a few years before the Deep Crack book. https://philzimmermann.com/EN/essays/BookPreface.html
What exactly were TETRA radios used for? I assume they were government/infra related, but then I don't understand why they'd need to backdoor the keying
They are used for many things, like fire, ambulance, railways, harbour operations, police, military, coast guard, and so on.
The weaker cipher mode, TEA1, is used when selling the radios to anyone who may not necessarily be an ally or highly trusted. This is the legacy of strong crypto being export-controlled.
It was public that these ciphers were weaker, but they were actually much weaker than advertised. This is the backdoor.
They don't so much backdoor the keying as that they have 4 different cipher profiles, and the one approved for global rather than European use (TEA1) compresses the key from 80 to 32 bits.
It's essentially a surreptitious version of what the US did in the 1990s with "export ciphers".
Which makes me question describing this as a "deliberate backdoor."
It's pretty clearly a deliberate backdoor.
And that is supported by the known past actions of "some government authorities". This is definitely not the first time the US government has deliberately sabotaged crypto.
This isn't an American product.
It's deliberate in making the crypto so weak that our guys can decrypt their guys' radio traffic.
How's that not a backdoor?
I think the most relevant use in the context of deliberate backdoor is its use by police and military forces. Apparently some energy providers also use it for remote controlling tasks (no voice).
There was also the Dolphin network in the UK, offering a public national subscription TETRA network. It didn't prove commercially viable.
https://www.rcrwireless.com/19980309/archived-articles/dolph...
Some time ago there was a github repo online that has all teaX and hurdle algorithms code, and also ta61 identity encryption algorithm mentioned by Midnightblue. https://web.archive.org/web/20230213001503/https://github.co...
https://web.archive.org/web/20230213001335/https://github.co...
In 2023 you're telling me that some emergency vehicles are happily rocking encryption protocols with 80-bit, wait actually, 32-bit keys? These are all cases of systemic procrastination. We're talking about emergency vehicles here though, so: neglect.
Nobody is surprised these protocols have been broken, it should not be a surprise, and having some kind of panic reaction should be considered either a charade or a case of abysmal management.
I heard about this some time ago... the timeline shows the sources should be available from august this year, but nothing yet on github ( https://github.com/MidnightBlueLabs/TETRA_burst )
The fact many armies use this (including my own country's) is mind boggling. Didn't they request the technical details of the encryption and the source code and have it vetted properly before awarding the tender for these devices? /sarcasm
> The vulnerabilities were discovered during the course of 2020, and were reported to the NCSC in the Netherlands in December of that year. It was decided to hold off public disclosure until July 2023, to give emergency services and equipment suppliers the ability to patch the equipment.
Interesting discussion about responsible disclosure. It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters. Aren't they often one and the same? What's a reasonable approach here?
> It seems a strange belief that you can tell all the radio operators about the vulnerability without also telling exploiters
I suspect that there was an update (or replacement) to the radios that was generally described as an ordinary update / maintenance.
Do you also suspect that the patch was generally ignored because nobody knew it was important?
Should the vendor be allowed to continue to sell models they know are compromised while their competition loses those contracts? Shouldn't there be some consequence for such fraud?
Immediate public disclosure.
I'm inclined to agree. I'm not comfortable with the way this unfolded.
> The Dutch NCSC (NCSC-NL) was informed in December 2021, after which meetings were held with the law enforcement and intelligence communities, as well as with ETSI and the vendors. Shortly afterwards, on 2 February 2022, preliminary advice was distributed to the various stakeholders and CERTs. The remainder of 2022 and the first half of 2023 were used for coordination and advisory sessions with stakeholders, allowing manufacturers to come up with firmware patches, updates or workarounds.
This reads to me as if malicious parties were notified some 18 months before users were notified.
Depends on who the stakeholders were.
Does it? Intelligence agencies were among the first informed. Those are the bad guys.
I know "bad guys" is a harsh phrasing, but when it comes to encrypted communication, they are literally the definition of the adversary. Anybody in intelligence that doesn't play for my team is a "bad guy". And since everybody belongs to multiple conflicting teams, even a person who plays on one of my teams is a "bad guy" from the perspective of my other teams.
If the first place you go with a disclosure is to the intelligence community, you are hurting users.
TL;DR: The only newsworthy vulnerability is the breaking TEA1 - which is anyways the least secure of them all and only intended for commercial use (that is, no emergency services).
The question is, did things like emergency services actually use the higher levels, or did they just use TEA1?
It's kind of like saying...
Vendor: "We support up to 1 zillion bit encryption!"
User: "What's the default out of the box?"
Vendor: "10 bit"
> TL;DR: The only newsworthy vulnerability is the breaking TEA1
This is IMHO a very unfair TLDR; . The news is that the researchers claim that there is deliberate backdoor, which ETSI denies. If it is true, there cannot be any further trust in other proprietary parts as well.
Some installations have additional cryptography.
Which alone implies that the Tetra crypto security theatre is well known in that industry, and isn't a surprise to vendors in the slightest.
It appears to be used for infrastructure, including things like power and transportation signals here in the US.
Are you sure? TETRA uses frequency-hopping spread spectrum, which requires a much wider contiguous bandwidth allocation for this modulation and use. That allocation doesn't exist in the US.
The lack of any large allocation for this kind of radio is a big part of why US first responders are stuck with P.25, which is narrowband FM. If there were a wide-enough band in which it could be used, a lot of first responders would have bought TETRA radios a long time ago. P.25 is easy to jam by brute-force power output, and trivial if you directly attack the error correction bits. TETRA and FHSS have a much much larger ratio of attacker transmit power to victim transmit power.
https://en.wikipedia.org/wiki/Project_25#Jamming_vulnerabili...
(FWIW, P.25 is an even worse dumpster-fire than TETRA...)
Googling “MTA Tetra” turns up a pile of articles about the deployment of TETRA trunked radio for communications in the NYC bus fleet and Staten Island Railroad. And in those articles there’s some controversy about the spectrum and interference issues. I don’t know where else they use TETRA, just that they were cited in some of the original articles about the vulnerabilities.
Ah, looks like they created a much lower-power TETRA in a different band for North American use (search for "low power tetra"):
https://www.powertrunk.com/pressroom/tetra-in-north-america/
That's cool, but it's going to be a niche use at those power levels. One of the things that make TETRA and P.25 so attractive is that you can put a huge, high-power repeater on a hill or tall building and cover a big chunk of a city using (fairly) small low-power handsets. Then multiple agencies (police, fire, spooks, clowns) can all use that repeater and share the cost burden.
The power-limited version looks like it'll always be a fairly niche single-agency-in-single-jurisdiction use. So the threat, while technically not zero, is not at the five-alarm-fire level that it is in Europe.
Edit: also looks like MTA bought their own spectrum license just for this one use:
MTA owns licenses in 700 MHz and 800 MHz
Hogwash, I think it's worth noting that this European system was intentionally backdoored.
Everybody plays the espionage game, Europe really is no exception, they just like to use the US to keep their hands (mostly) clean.