TETRA Radio Standard Vulnerabilities Can Expose Military Comms, Industrial Systems
TETRA:BURST – vulnerabilities in widely used radio standard could threaten military and law enforcement communications, as well as ICS.
By
Five vulnerabilities, two deemed to be critical, have been found in the Terrestrial Trunked Radio (TETRA) standard.
TETRA is the most widely used police radio communication system outside of the US. It is used by fire and ambulance services, transportation agencies, utilities, and military, border control and customs agencies in more than 100 nations globally — as well as the UN and NATO.
The vulnerabilities were discovered by cybersecurity firm Midnight Blue (Amsterdam, Netherlands) with funding from NLnet as part of the EU NGI0 PET fund. Midnight Blue reverse-engineered the proprietary TETRA Authentication Algorithm (TAA1) and TETRA Encryption Algorithm (TEA) and analyzed them for the first time. In this process they discovered a series of vulnerabilities that they call TETRA:BURST.
The firm has announced basic details but will be providing full technical details during upcoming security conferences, including Black Hat and DEF CON in August. “We have spent over two and a half years on our TETRA research, including a coordinated disclosure process that lasted over one and a half years. We will fully disclose our research results and present our work at various conferences throughout the year,” say the researchers.
The five vulnerabilities are:
Midnight Blue calls out the first and third vulnerabilities as of immediate concern. “This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.”
The company also raised concerns over the TEA1 encryption backdoor, which could pose a serious risk to critical infrastructure operators and their industrial control systems (ICS).
“By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signaling messages,” Midnight Blue explains.
Patches and mitigations (such as the use of E2EE) are specified.
William Wright, CEO at Closed Door Security, commented, “This is an extremely concerning discovery from security researchers. No system, whether critical or trivial, should ever be marketed or deployed without continuous and proactive security testing.” It seems that too much reliance for security was placed on the proprietary nature of the TETRA standard.
He points out that since criminals are constantly looking for weaknesses in systems they can exploit to gain access to data, there is a possibility these bugs have already been discovered and used in the wild. “Furthermore,” he adds, “given the types of industries that rely on TETRA radio communications, this could have given adversaries access to sensitive information that could be extremely dangerous in their hands.”
Related: Metasploit’s New RFTransceiver Finds Security Flaws in IoT Radio Communications
Related: Cyprus Arrests Three in ‘Israeli Spy Van’ Probe
Related: Cyber Insights 2023 | The Geopolitical Effect
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
Thinking through the good, the bad, and the ugly now is a process that affords us “the negative focus to survive, but a positive one to thrive."(Marc Solomon)
Sharing threat information and cooperating with other threat intelligence groups helps to strengthen customer safeguards and boosts the effectiveness of the cybersecurity sector overall.(Derek Manky)
Securing APIs is a noble, though complex journey. Security teams can leverage these 10 steps to help secure their APIs.(Joshua Goldfarb)
While silos pose significant dangers to an enterprise's cybersecurity posture, consolidation serves as a powerful solution to overcome these risks, offering improved visibility, efficiency, incident response capabilities, and risk management.(Matt Wilson)
The need for cyber resilience arises from the growing realization that traditional security measures are no longer enough to protect systems, data, and the network from compromise.(Torsten George)
Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...
OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...
Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.
Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.
A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...
Five vulnerabilities, two deemed to be critical, have been found in the Terrestrial Trunked Radio (TETRA) standard. Learn More at SecurityWeek’s ICS Cyber Security ConferenceRelatedRelatedRelated