For more than two decades, the globally deployed TETRA technology contained a backdoor that allowed malicious actors to potentially cause massive disruptions in society. A Dutch research team delved into the communications tech and discovered five vulnerabilities.
The C2000 network is the only communication system that connects all emergency services in the Netherlands. It is an example of the type of network that exists throughout the world to unify comms across critical infrastructure. According to the Dutch government, it has 97.8 percent coverage across the country, one of the best figures in Europe. It consists of more than 600 masts and has different levels of security.
The underlying technology is called TETRA (Terrestrial Trunked Radio), which was developed in the 1990s by ETSI (European Telecommunications and Standardization Institute). One of this technology’s main features is the system’s security levels. For example, there is TEA1 and TEA4, which can be used for commercial purposes. A use case for this can be found with energy companies, which use it to provide communication with regard to gas lines operations. TEA2 is reserved for police units, other emergency services and the military. TEA3 is available for countries approved by Europe. The vast majority of police forces around the world are said to use TETRA. In the United States, however, it is not used by police.
Read and send
It would be worrying enough if these allegedly encrypted messages could be read by third parties, but it doesn’t stop there. The Dutch researchers found out that the vulnerabilities give the ability to send malicious messages that could defy the critical infrastructure of several countries.
A large number of applications are involved. TETRA can be used to control gas pipelines and train traffic, for example, but also to enable audio communication. All of this can be intercepted and deciphered thanks to the holes in TETRA.
The reason this is only now becoming known is partly because the encryption algorithms were not previously known, according to Wired. The researchers bought a Motorola MTM5400 radio, which is commercially available. To get past the protections within the equipment at all, they had to apply a number of zero-day exploits to bypass Motorola’s safeguards. Then, it took four months to intercept the algorithms behind the “secure enclave” in the radio’s firmware. Wired reports that the backdoor in TEA1 was the first vulnerability the researchers found.
Solution
The first step toward restoring the security of any system is its discovery. This is followed by disclosure, which in this case was obviously very limited at first. The Dutch NCSC (National Cyber Security Center) has informed all radio manufacturers and foreign parties about the problems.
Next month, the research team will present its findings at the BlackHat conference in Las Vegas. Then it will become clear how they discovered the vulnerabilities. However, it remains to be seen how they will present the exact vulnerabilities, as they are very sensitive. For now, the key is for manufacturers and organizations to apply updates where possible and take other security measures.
In any case, experts are using relatively unambiguous language to describe the vulnerability. Speaking to Wired, Matthew Green of Johns Hopkins University speaks of a disaster. “I wouldn’t say it’s the equivalent of not using encryption, but it’s very, very bad.”
Also read: Chinese email hack only detectable with most expensive Microsoft subscription