By Scott Hamilton
On June 24, 2023, Midnight Blue, a network security firm based in the Netherlands, discovered a critical issue plaguing police and emergency response radio systems. The discovered flaws were named TETRA:BURST and affect all TETRA radio networks. You might wonder what this means to you. First I need to describe a little about TETRA, what it is and how it is used.
TETRA is the trade-name of a radio technology used world-wide as a voice communication system for public safety organizations. TETRA is short for Terrestrial Trunked Radio, which basically means that it is a radio network that is ground based (terrestrial) and secured (trunked) so that radios that are not keyed with the same encryption code cannot listen in on the communications. This is very important, especially related to police communications.
Let’s take an example of a police communication back to the station. If you are speeding, the first thing an officer does is place a radio call into dispatch giving your vehicle make, model and license number. Dispatch returns his call with any past tickets or crimes linked to the vehicle’s plate. This is meant to keep the officer safe in the event that the vehicle owner was involved in a prior violent crime. So far anyone that drives past you already knows the information the officer had, but only you and the officer know anything about your vehicle’s record.
Once you are pulled over the officer takes your driver’s license, registration and insurance. All this information is shared over radio back to dispatch and more of your personal information is broadcast. This is where the trunking mechanism comes in to protect that private information. So now you have an idea of why securing these communication systems is important.
The problem that was discovered by Midnight Blue allows an attacker to decrypt these secure communications and listen to the conversations. The flaw is in the Air Interface Encryption (AIE) keystream generator basing the key on the network time, which is publicly broadcast without encryption. What this means is that anyone listening in with the right technology can generate the same pair of encryption keys. The second flaw is in the weak encryption algorithm TEA1 which is used by the system. Researchers found a backdoor in the algorithm that reduces the 80-bit key to a size which is easily guessed on consumer hardware, like your cellphone or laptop, in a matter of minutes.
I know you might be wondering exactly how encryption systems like AIE and algorithms like TEA1 work, and though at first it seems like a complex topic, it boils down to a simple exchange of information. Two parties wanting to communicate with each other exchange a public key (which allows you to decrypt messages encrypted with a private key. It is like a lock with two keys. It can be locked with my private key and your public key. It can only be unlocked by your private key and my public key. No other two keys can open the lock and read the information. We trade public keys first and then lock the messages between each other with the combination of our private and public keys.
The security flaw in AIE means that I can guess all the user’s private keys easily and everyone is sharing their public keys openly, so I can then unlock all the locks and read all the information. There is no easy fix for such a flaw, and the creators of TETRA claim that what appears to be a backdoor was actually put in place to allow them to export the radio hardware to countries that cannot receive the protected encryption algorithms. However, the experts in the community disagree and believe the backdoor was intentionally installed and is being used by the company for the last decade or more to gather private information.
Every time I come across flaws in critical systems that are core to our national security, it makes me wonder if there is really any privacy online or on the air waves. I have always told my children, friends, family and readers that anything you post online, send in e-mail or say on phone conversation can be considered public information, regardless of the claims made by the company providing the communication service. It has proven to be true on many occasions and I can say I am not really shocked to hear about it in our emergency response systems. I do not know if the TETRA system is in use by our local emergency services, or even if it is widely used in the U.S., but it is a real issue considering the list of TETRA users extends globally across at least 114 countries. The best information I found on the issues was at https://hackaday.com/2023/07/27/did-tetra-have-a-backdoor-hidden-in-encrypted-police-and-military-radios/.
Until next week, stay safe and learn something new.
Scott Hamilton is an Expert in Emerging Technologies at ATOS and can be reached with questions and comments via email to firstname.lastname@example.org or through his website at https://www.techshepherd.org.