Midnight Blue reveals TETRA:BURST zero-day vulnerabilities, exposing TETRA radio communications

New research from Midnight Blue disclosed the presence of five zero-day vulnerabilities, two of which are deemed critical that affect the Terrestrial Trunked Radio (TETRA) standard used globally by law enforcement, military, critical infrastructure, and industrial asset owners in the power, oil and gas, water, and transport sectors and beyond. The data identified that depending on infrastructure and device configurations, these vulnerabilities allow for real-time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning. 

“Practically, these vulnerabilities allow high-end adversaries to listen in on police and military communications, track their movements, or manipulate SCADA communications carried over TETRA. Firmware patches are available for some of these vulnerabilities while compensating controls are recommended for others,” Midnight Blue researchers disclosed this week. The research was undertaken with funding from the non-profit NLnet foundation as part of its European Commission-supported Next Generation Internet (NGI) Privacy and Trust Enhancing Technologies (PET) fund.

The researchers said that while there are some indications that TETRA systems have been targeted for interception, “we have no hard evidence that the TETRA:BURST vulnerabilities specifically have been exploited in the wild. However, since exploitation of most of these issues is hard (CVE-2022-24400, CVE-2022-24401, CVE-2022-24404) or impossible (CVE-2022-24402, CVE-2022-24403) to detect and at least one (CVE-2022-24402) is due to an intentionally weakened cipher – this absence of evidence is most certainly not evidence of absence.”

Proof-of-concept attack code will not be released due to the potential for abuse, the research revealed.

TETRA was standardized by the European Telecommunications Standards Institute (ETSI) in 1995, is used in more than 100 countries, and is the ‘most widely’ used police radio communication system outside the U.S. Like its North American counterpart P25 and other standards such as DMR and TETRAPOL, TETRA can be used for voice and data transmission, including in a machine-to-machine capacity.

“At its core, TETRA security relies [on] a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE),” Midnight Blue detailed. “The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.”

“The use of secret, proprietary cryptography is a violation of Kerckhoffs’ Principle which states that a cryptosystem should be secure even if an adversary knows how it works” Jos Wetzels, founding partner at Midnight Blue, said. “Violating this principle has resulted in practically exploitable vulnerabilities in prominent telecommunications standards time and again as shown by historical flaws in the GSM, GPRS, GMR, and DECT standards.”

As a result of this secrecy, Midnight Blue’s research is the first in-depth public security research in TETRA’s over 20-year history, thereby revealing issues which have lingered unaddressed for decades. 

Midnight Blue data identified that the issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404), which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

“The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic,” the research disclosed. “By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment.”

For instance, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA (supervisory control and data acquisition) systems communicate with Remote Terminal Units (RTUs) over a wide-area network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signaling messages.

The research added that the deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces. 

“This vulnerability presents a state or criminal adversary with a powerful counter-intelligence capability, allowing them to avoid covert observation or serve as an early warning of impending intervention by special forces” according to Wouter Bokslag, founding partner at Midnight Blue.

Finally, Midnight Blue revealed that the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality. “While the immediate impact of this last issue is limited, it presents an interesting springboard for potential future security research,” it added.

The Midnight Blue research said that while common Coordinated Vulnerability Disclosure (CVD) guidelines stipulate a six-month period for hardware and embedded systems vulnerabilities, the combined sensitivity of the systems involved, the complexity of addressing the TETRA:BURST issues, and lead time in identifying and reaching as many affected parties as possible have resulted in a disclosure process of well over a year and a half. 

Midnight Blue initially disclosed its findings to the Dutch National Cyber-Security Centre (NCSC) in December of 2021 and has coordinated closely with industry and asset owner stakeholders since then in order to find a tradeoff between giving as many asset owners as much time as possible to address these issues while simultaneously ensuring that the issues would become publicly known in a timely fashion to reach those asset owners that could not be identified or reached through private channels.

Remediating patches are available for some of the TETRA:BURST issues while compensating controls are available for others. A detailed advisory has been distributed by Midnight Blue to relevant stakeholders through the Dutch NCSC and will be released publicly once the embargo on the technical details is lifted at next month’s Black Hat USA 2023 conference.

Earlier this month, the Cybersecurity Assessment Netherlands 2023 (CSAN 2023) report highlighted the importance of operational technology (OT) security despite facing challenges. It warns of state actors using cyberattacks for geopolitical goals, extortion as a lucrative business model, and new technologies like AI posing new threats. The report emphasizes the need for broader risk management and integration of digital risks into national security risks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.