Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A group of cybersecurity researchers has uncovered what they believe is an intentional backdoor in encrypted radios used by police, military, and critical infrastructure entities around the world. The backdoor may have existed for decades, potentially exposing a wealth of sensitive information transmitted across them, according to the researchers.
While the researchers frame their discovery as a backdoor, the organization responsible for maintaining the standard pushes back against that specific term, and says the standard was designed for export controls which determine the strength of encryption. The end result, however, are radios with traffic that can be decrypted using consumer hardware like an ordinary laptop in under a minute.
“There’s no other way in which this can function than that this is an intentional backdoor,” Jos Wetzels, one of the researchers from cybersecurity firm Midnight Blue, told Motherboard in a phone call.
Do you know about other vulnerabilities in communications networks? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].
The research is the first public and in-depth analysis of the TErrestrial Trunked RAdio (TETRA) standard in the more than 20 years the standard has existed. Not all users of TETRA-powered radios use the specific encryption algorithim called TEA1 which is impacted by the backdoor. TEA1 is part of the TETRA standard approved for export to other countries. But the researchers also found other, multiple vulnerabilities across TETRA that could allow historical decryption of communications and deanonymization. TETRA-radio users in general include national police forces and emergency services in Europe; military organizations in Africa; and train operators in North America and critical infrastructure providers elsewhere.
Midnight Blue will be presenting their findings at the upcoming Black Hat cybersecurity conference in August. The details of the talk have been closely under wraps, with the Black Hat website simply describing the briefing as a “Redacted Telecom Talk.” That reason for secrecy was in large part due to the unusually long disclosure process. Wetzels told Motherboard the team has been disclosing these vulnerabilities to impacted parties so they can be fixed for more than a year and a half. That included an initial meeting with Dutch police in January 2022, a meeting with the intelligence community later that month, and then the main bulk of providing information and mitigations being distributed to stakeholders. NLnet Foundation, an organization which funds “those with ideas to fix the internet,” financed the research.
The European Telecommunications Standards Institute (ETSI), an organization that standardizes technologies across the industry, first created TETRA in 1995. Since then, TETRA has been used in products, including radios, sold by Motorola, Airbus, and more. Crucially, TETRA is not open-source. Instead, it relies on what the researchers describe in their presentation slides as “secret, proprietary cryptography,” meaning it is typically difficult for outside experts to verify how secure the standard really is.
The researchers said they worked around this limitation by purchasing a TETRA-powered radio from eBay. In order to then access the cryptographic component of the radio itself, Wetzels said the team found a vulnerability in an interface of the radio. From there, they achieved code execution on the main application processor; they then jumped to the signals processor, which Wetzels described as something equivalent to a wifi or 3G chip, which handles the radio’s signals. On that chip, a secure enclave held the cryptographic ciphers themselves. The team finally found vulnerabilities in that which allowed them to extract the cryptography and perform their analysis. The team then reverse-engineered how TETRA implemented its cryptography, which led to the series of vulnerabilities that they have called TETRA:BURST. “It took less time than we initially expected,” Wetzels said.
Most interestingly is the researchers’ findings of what they describe as the backdoor in TEA1. Ordinarily, radios using TEA1 used a key of 80-bits. But Wetzels said the team found a “secret reduction step” which dramatically lowers the amount of entropy the initial key offered. An attacker who followed this step would then be able to decrypt intercepted traffic with consumer-level hardware and a cheap software defined radio dongle.
“This is a trivial type of attack that fully breaks the algorithm. That means an attacker can passively decrypt everything in almost real time. And it’s undetectable, if you do it passively, because you don’t need to do any weird interference stuff,” Wetzels said.
Not all current TETRA-radio customers will use TEA1, and some may have since moved onto TETRA’s other encryption algorithms. But given TETRA’s long life span, its existence still means there may have been room for exploitation if another party was aware of this issue.
“There’s bigger fish who likely found this much earlier,” Wetzels said, referring to other third parties who may have discovered the issue.
The researchers say they identified multiple entities that they believe may have used TEA1 products at some point. They include U.S. Africom, a part of the U.S. military which focuses on the continent. Multiple military agencies did not respond to Motherboard’s request for comment.
“In the interest of public safety, we do not share detailed information on our cybersecurity infrastructure,” Lenis Valens, a spokesperson for PANYNJ which manages JFK airport, said in a statement when asked if the organization used TETRA radios when contacted by Motherboard. “The agency has robust protocols in place and employs the latest technologies and best practices. Safety for our passengers and customers always comes first,” the statement said.
Most law enforcement agencies contacted by Motherboard did not respond to a request for comment. Swedish authorities declined to comment.
Several radio manufacturers directed Motherboard to ETSI for comment. Claire Boyer, press and media officer for ETSI, told Motherboard in an email that “As the authority on the ETSI TETRA technology standard, we welcome research efforts that help us further develop and strengthen the security of the standard so that it remains safe and resilient for decades to come. We will respond to the report when it has been published.”
Specifically on the researchers’ claims of a backdoor in TEA1, Boyer added “At this time, we would like to point out that the research findings do not relate to any backdoors. The TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption.”
The researchers stressed that the key reduction step they discovered is not advertised publicly.
“‘Intentional weakening’ without informing the public seems like the definition of a backdoor,” Wouter Bokslag from Midnight Blue told Motherboard in an email.
In ETSI’s statement to Motherboard, Boyer said “there have not been any known exploitations on operational networks” of the vulnerabilities the researchers disclosed.
Bokslag from Midnight Blue said in response that “There is no reason ETSI would be aware of exploitations in the wild, unless customers reach out to ETSI after detecting anomalies in their network traffic.” Then with the TEA1 issues specifically, “since it can be passively intercepted and decrypted, there is no detectable interference, and ETSI not knowing any concrete cases seems like a bit of a meaningless statement with this regard.”
In response to some of the researchers’ findings, radio manufacturers have developed firmware updates for their products. For TEA1, however, the researchers recommend users migrate to another TEA cipher or apply additional end-to-end encryption to their communications. Wetzels said that such an add-on does exist, but that hasn’t been vetted by outside experts at this time.
Bart Jacobs, a professor of security, privacy and identity, who did not work on the research itself but says he was briefed on it, said he hopes “this really is the end of closed, proprietary crypto, not based on open, publicly scrutinised standards.”
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our Twitch channel.