European radio standard TETRA has had a baked in vulnerability known for years by the vendors: Open standards are a better way to go

Close view of man's hands behind his back, holding a two-way radio

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

While the TEA1 weakness has been withheld from the public, it’s apparently widely known in the industry and governments. The issue really is that these proprietary algorithms are not subjected to the scrutiny that the open standards ones are. With a proprietary algorithm you are placing all your trust in only that vendor, and if they know about a vulnerability for years without telling you, you’re just not going to know. But as we’ve seen many times, that does not mean someone else has not found it, and may be quietly exploiting it for a long time already.

As we also see in this very linked article, governments are no more trustworthy, as they will deliberately sell something with vulnerabilities to another country, which they think they can maybe later exploit if the need arises.

An open standard is interrogated publicly to find potential weaknesses. It is why so many researchers say it is better to adopt open standards encryption algorithms which are proven, rather than to try to be clever and develop your own one.

TETRA is also used widely in South Africa by emergency personnel. It is anyway always better to assume someone is listening in on your radio messages, than to think it is 100% secure. The advice to TETRA radio users is to check with their vendors where any patch or mitigation is available.

See https://www.wired.com/story/tetra-radio-encryption-backdoor/

Comments