The Dutch government knows for at least thirty years that the TETRA system is weakly encrypted. Consequently, the government is said to have asked for a backdoor to be installed, writes the Dutch outlet de Volkskrant, based on an interview with Gert Roelofsen, responsible for TETRA security during the time of development. The backdoor makes it easy to crack the communications network in countries outside Western Europe.
The Dutch government would have caused a vulnerability in the TETRA system. “The weak security of TEA1 was imposed by the Dutch government,” says Gert Roelofsen. He directed the group responsible for the security of TETRA. The man is now retired.
Five vulnerabilities found
A group of Dutch researchers informed the world last week that the TETRA system contains five vulnerabilities. These include the technology behind the c2000 network, a communications network that connects all emergency services in the Netherlands. The researchers first give radio manufacturers and organizations time to take security measures and present their research next month at the BlackHat conference in Las Vegas.
Also read: Dutch researchers unravel TETRA system vulnerabilities
One of the vulnerabilities is known and involves a backdoor in TEA1. That is one of the four Tetra algorithms and gets used by, for example, energy companies to provide communication around gas pipelines, the port of Rotterdam and intelligence services and armies of countries outside Europe. The problem is weakened encryption, as the system has a 32-bit key while an 80-bit key is promised. As a result, the system can be cracked in minutes via an ordinary laptop. According to Roelofsen, a “tiny part of the Dutch government” has always been aware of the backdoor.
According to Dutch research, encrypted messages can be read by third parties. Moreover, the vulnerability can be abused to send messages, compromising the critical infrastructure of several countries.
Weaken police forces outside Europe
Roelofsen knows why the Dutch government insisted on installing a backdoor in TEA1. According to him, this algorithm was intended for police services outside Europe. There, weaker encryption had to be installed because of the Wassenaar Agreement, which required European countries to limit the export of technologies that could also be used militarily.
Western European police forces still run on TEA2. It forms the basis of the c2000 network for emergency services. This Tetra algorithm has much more robust encryption, which now appears to have been a deliberate choice.
Meanwhile, quite a few countries using TEA1 have joined Europe. Many countries have become part of the European Union, Navo and Schengen. In addition, the field in which TEA1 is deployed grew, extending its use to for example the port of Rotterdam.
A spokesman for the National Cyber Security Center (NCSC) informed de Volkskrant that it had been informed of the weaknesses in TEA1 since late 2021. The center would then have passed on the information to various parties.