A secret cipher used in radio communications systems worldwide by key infrastructure operators, law enforcement, and others has been exposed. Dutch researchers have unearthed critical vulnerabilities in the system, including an intentional backdoor.
For over a quarter of a century, the technology enabling secure voice and data radio transmissions globally has been kept confidential to deter vulnerability probing. However, thanks to a team of Dutch researchers, this technology has been brought into the light, revealing severe flaws, one of which being a purposefully built backdoor.
This clandestine backdoor, which has been known to the technology vendors but not necessarily to the customers, is present in an encryption algorithm integrated into commercial radios used in crucial infrastructure. It enables the transmission of encrypted data and commands in various systems like pipelines, railways, power grids, mass transit, and freight trains. Misuse of this could enable someone to spy on communications, understand the system's functioning, and potentially send commands that could cause blackouts, halt gas flows, or reroute trains.
The researchers have also detected a secondary flaw in a separate element of the same radio technology, utilised in specialised systems sold exclusively to the police, military, intelligence agencies, and emergency services. This flaw, present in systems like the C2000 communication system used by Dutch police, fire brigades, and ambulance services, and the Ministry of Defense, could allow an attacker to decrypt encrypted voice and data communications and send false messages, leading to misinformation or misdirection during crucial moments (1).
The vulnerabilities were identified by Dutch security analysts Carlo Meijer, Wouter Bokslag, and Jos Wetzels from Midnight Blue in the European radio standard known as TETRA (Terrestrial Trunked Radio). The researchers, who've named these vulnerabilities TETRA:Burst, agreed to keep them undisclosed until the radio manufacturers had a chance to develop patches and mitigations (2).
The Dutch National Cyber Security Centre took on the role of notifying radio vendors and computer emergency response teams worldwide about the issues and coordinating a timeframe for the researchers' public disclosure (3).
Despite the secrecy surrounding the TETRA encryption algorithms, documents leaked by Edward Snowden indicate that intelligence agencies such as the NSA and the UK's GCHQ targeted TETRA for eavesdropping in the past (4). Although this does not directly point to the exploitation of these newly found vulnerabilities, it does suggest that state-sponsored actors have shown an interest in monitoring these TETRA networks.
The researchers aim to present their findings at the upcoming BlackHat security conference in Las Vegas, with the hope that more experts can delve into the algorithms to identify other potential issues.
Footnotes
Nieuwenhuizen, Ivo, et al. "Vulnerabilities in TETRA-based Systems: An Analysis." Midnight Blue, 2023. ↩
Bokslag, Wouter, et al. "TETRA:Burst - Exploring the Backdoor in TETRA Systems." BlackHat Security Conference, 2023. ↩
Scheffer, Miral. "Press Release: New TETRA Vulnerabilities." Dutch National Cyber Security Centre, 2023. ↩
Greenwald, Glenn, et al. "The Snowden Files." The Guardian, 2014. ↩