STRICT Provides Insights on Five Potential Flaws in the TETRA Technology Protocol

Recently security consultancy Midnight Blue tore down a TETRA radio in order to examine its encryption algorithms, TEA1, TEA2, TEA3 and TEA4.

This week there was extensive news in Computer Weekly and WIRED that TETRA, the standard for professional mobile communication, contains vulnerabilities. This standard is used, among other things, for emergency services and other organizations that use mission-critical communication. What do these vulnerabilities mean? Ken Klaver, Antoine van der Sijs and Peter Eppenga, experts in the field of mission-critical communication, reveal the details.

The research

On July 23, 2023, three Dutch researchers announced that they had found a number of vulnerabilities in the TETRA protocol. TETRA is a worldwide (ETSI) standard for professional mobile communication and is used by, among others, the emergency services, defence, industry, (air)ports and public transport for walkie-talkie traffic. On 24 July, many news media paid attention to the vulnerabilities found in TETRA communication and their possible impact on users.
In TETRA's more than 20 years of existence, the authentication and encryption algorithms have always been secret and no public in-depth cybersecurity research has been done. However, in 2.5 years of reverse engineering and analysis, the researchers have unraveled the algorithms used for the first time and discovered 5 vulnerabilities. As early as 2021, the researchers made a so-called responsible disclosure of their findings so that suppliers of TETRA networks and walkie-talkies and mobile radios were enabled to take mitigating measures such as software updates for their products.

The researchers have not yet shared the technical details, this will happen from August 9, 2023.
The researchers conducted their research in collaboration with the National Cyber Security Center (NCSC). The research was funded by the non-profit NLnet foundation as part of the European Commission's NGI0 PET fund.

What has been discovered?

The investigation revealed 5 vulnerabilities. The impact of the vulnerabilities for TETRA users depends on the use cases and the configuration of the respective TETRA network. The 5 vulnerabilities all relate to TETRA's so-called Air Interface, which has been standardized so that customers on a TETRA network can use many different brands of TETRA peripheral equipment (walkie-talkies and mobile radios). Of these 5 vulnerabilities, 2 have been designated as severity critical, 2 as high and 1 as low.

What is the impact for users?

As mentioned, the impact of the vulnerabilities for TETRA users depends on the specific use cases and the configuration of the TETRA network in question. For example, users who use TEA1 (TETRA Encryption Algorithm 1) are vulnerable because its encryption key appears to be easy to crack with the current computing power. This would in principle make it possible to eavesdrop on such a TETRA network.

Mitigating measures

For some of the vulnerabilities mentioned, software updates are available from TETRA suppliers, while compensatory measures are available for others. In certain cases, it may be considered to apply an alternative form of encryption, namely end-to-end encryption in the walkie-talkies, which is considered safe. In addition, ETSI has introduced TEA5, 6 and 7 as replacements for TEA1, 2 and TEA3 for Air Interface Encryption. Detailed advice has been distributed to relevant stakeholders via the National Cyber Security Center (NCSC). This will be made public by the researchers once the embargo on the technical details is lifted (August 9, 2023).