24 July 2023

TETRA:Burst

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue in the Netherlands discovered the TETRA vulnerabilities–which they’re calling TETRA:Burst–in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. Not all of the issues can be fixed with a patch, however, and it’s not clear which manufacturers have prepared them for customers. Motorola—one of the largest radio vendors—didn’t respond to repeated inquiries from WIRED. 

  • A spokesperson for DHS’s Cybersecurity and Infrastructure Security Agency said they are aware of the vulnerabilities but wouldn’t comment further.
  • The researchers say anyone using radio technologies should check with their manufacturer to determine if their devices are using TETRA and what fixes or mitigations are available. 
  • The researchers plan to present their findings next month at the BlackHat security conference in Las Vegas, when they will release detailed technical analysis as well as the secret TETRA encryption algorithms that have been unavailable to the public until now. They hope others with more expertise will dig into the algorithms to see if they can find other issues.

Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios

Code Kept Secret for Years Reveals Its Flaw—a Backdoor

A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. 
One anonymous policeman in a blue uniform holding a walkie talkie radio
PHOTOGRAPH: TOMASZ ƚMIGLA/GETTY IMAGES

FOR MORE THAN 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or re-route trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services, such as the C2000 communication system used by Dutch police, fire brigades, ambulance services, and Ministry of Defense for mission-critical voice and data communications. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Three Dutch security analysts discovered the vulnerabilities—five in total—in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

  • The technology is not widely used in the US, where other radio standards are more commonly deployed. But Caleb Mathis, a consultant with Ampere Industrial Security, conducted open source research for WIRED and uncovered contracts, press releases, and other documentation showing TETRA-based radios are used in at least two dozen critical infrastructures in the US. Because TETRA is embedded in radios supplied through resellers and system integrators like PowerTrunk, it’s difficult to identify who might be using them and for what. But Mathis helped WIRED identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the East Coast, three international airports that use them for communications among security and ground crew personnel, and a US Army training base.

Carlo Meijer, Wouter Bokslag, and Jos Wetzels of Midnight Blue in the Netherlands discovered the TETRA vulnerabilities–which they’re calling TETRA:Burst–in 2021 but agreed not to disclose them publicly until radio manufacturers could create patches and mitigations. Not all of the issues can be fixed with a patch, however, and it’s not clear which manufacturers have prepared them for customers. Motorola—one of the largest radio vendors—didn’t respond to repeated inquiries from WIRED. . .

No comments:

BEA News: Personal Income and Outlays, October 2024 EMBARGOED UNTIL RELEASE AT 10:00 a.m. EST, Wednesday, November 27, 2024

  BEA News: Personal Income and Outlays, October 2024 The U.S. Bureau of Economic Analysis (BEA) has issued the following news release today...