Dutch Researchers Uncover Serious Vulnerabilities in TETRA Technology

Dutch cybersecurity researchers from Midnight Blue have disclosed a set of serious vulnerabilities in the widely used Terrestrial Trunked Radio (TETRA) technology, known as TETRA:BURST [4] [5]. These vulnerabilities pose a threat to public safety and have the potential to be exploited by hackers. TETRA is extensively used by government entities and critical infrastructure sectors [1].


The vulnerabilities in TETRA:BURST range in severity from low to critical [1]. One of the most severe vulnerabilities allows for decryption attacks without knowledge of the encryption key [1]. Another critical flaw enables attackers to inject data traffic used for monitoring and control of industrial equipment [1]. The cryptographic scheme used to obfuscate radio identities is weak [1], allowing attackers to deanonymize and track users [1]. Additionally, the lack of ciphertext authentication on the Air Interface Encryption (AIE) allows for malleability attacks [1].

The impact of these vulnerabilities depends on how TETRA is used by organizations and the cryptographic algorithm in place [1]. The vulnerabilities have been discovered through reverse engineering and have been held back until now [1]. The European Telecommunications Standards Institute (ETSI) has stated that the TETRA security standards have been specified with national security agencies and are subject to export control regulations [1].

Researchers from Midnight Blue have also discovered additional vulnerabilities in the Tetra technology used by emergency services [2]. These vulnerabilities include a critical flaw in the encryption algorithm that reduces the encryption key from 80 bits to just 32 bits [2], making it easy for unauthorized actors to decrypt radio messages [2]. Another critical vulnerability allows attackers to insert themselves into the encrypted communication process by manipulating timestamp data [2]. Two high severity vulnerabilities enable fake messages to be inserted into the communication flow and deanonymize Tetra users [2]. A low severity vulnerability allows attackers to intercept uplinks and access post-authentication protocol functions [2].

Mitigations for these vulnerabilities include implementing end-to-end encryption or migrating to newer encryption algorithms [2]. ETSI [1] [2] [3], the designer of the Tetra security algorithms [2], disputes that the vulnerabilities constitute backdoors and states that the Tetra standard remains robust [2]. A patch is available for some of the vulnerabilities [2] [3], and revised standards were released in October 2022 [2]. Detailed advice has been distributed to relevant stakeholders through the National Cyber Security Center [3].


The vulnerabilities in TETRA:BURST have the potential to allow attackers to spy on or manipulate transmissions. This poses a significant risk, particularly for emergency services and critical infrastructure sectors. However, software updates and compensatory measures are available for some of the vulnerabilities [3], and ETSI has introduced new encryption algorithms as replacements [3]. It is crucial for organizations to take appropriate actions to mitigate these vulnerabilities and ensure the security of their TETRA systems. The findings of the Dutch researchers highlight the need for ongoing vigilance and the importance of regularly updating security measures in the face of evolving cyber threats.


[1] https://thehackernews.com/2023/07/tetraburst-5-new-vulnerabilities.html
[2] https://www.computerweekly.com/news/366545593/Tetra-radio-users-comms-may-have-been-exposed-for-years
[3] https://www.criticalcommunicationsreview.com/ccr/news/110853/strict-provides-insights-on-five-potential-flaws-in-the-tetra-technology-protocol
[4] https://www.darkreading.com/dr-global/zero-day-vulnerabilities-disclosed-in-global-emergency-services-communications-protocol
[5] https://www.hackread.com/power-grids-airports-tetra-radio-hacking-risks/


Dutch cybersecurity researchers, Midnight Blue, Terrestrial Trunked Radio, TETRA, TETRA:BURST, vulnerabilities, public safety, hackers, government entities, critical infrastructure sectors, severity, decryption attacks, encryption key, data traffic, industrial equipment, cryptographic scheme, radio identities, deanonymize, track users, ciphertext authentication, Air Interface Encryption, malleability attacks, impact, reverse engineering, European Telecommunications Standards Institute, ETSI, export control regulations, emergency services, encryption algorithm, unauthorized actors, decrypt radio messages, timestamp data, fake messages, intercept uplinks, post-authentication protocol functions, mitigations, end-to-end encryption, newer encryption algorithms, backdoors, patch, revised standards, October 2022, National Cyber Security Center, spy on transmissions, manipulate transmissions, risk, software updates, compensatory measures, security measures, Dutch researchers, ongoing vigilance, evolving cyber threats.