A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information.
The issues, discovered by Midnight Blue in 2021 and held back until now, have been collectively called TETRA:BURST. There is no conclusive evidence to determine that the vulnerabilities have been exploited in the wild to date.
"Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said.
Standardized by the European Telecommunications Standards Institute (ETSI) in 1995, TETRA is used in more than 100 countries and as a police radio communication system outside the U.S. It's also employed to control essential systems like power grids, gas pipelines, and railways.
That said, TETRA-based radios are estimated to be used in at least two dozen critical infrastructures in the U.S., per WIRED. This comprises electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system, three international airports, and a U.S. Army training base.
The system is underpinned by a collection of secret, proprietary cryptographic algorithms – the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE) – which have been guarded as trade secrets under strict non-disclosure agreements (NDAs).
In reverse engineering TAA1 and TEA, Midnight Blue said it was able to discover five shortcomings, ranging from low to critical in severity, that allows for "practical interception and manipulation attacks by both passive and active adversaries" -
- CVE-2022-24400 - A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.
- CVE-2022-24401 - The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
- CVE-2022-24402 - The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
- CVE-2022-24403 - The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.
- CVE-2022-24404 - Lack of ciphertext authentication on AIE allows for malleability attacks.
"The impact of the issues above is highly dependent on how TETRA is used by organizations, such as whether it transmits voice or data and which cryptographic algorithm is in place," cybersecurity company Forescout said.
One of the most severe issues is CVE-2022-24401, an oracle decryption attack that can be weaponized to reveal text, voice, or data communications without knowledge of the encryption key.
CVE-2022-24402, the second critical flaw uncovered in TETRA's TEA1 algorithm, permits attackers to inject data traffic that is used for monitoring and control of industrial equipment, the San Jose firm pointed out.
"Decrypting this traffic and injecting malicious traffic allows an attacker to achieve denial of control/view or manipulation of control/view, thus performing dangerous actions such as opening circuit breakers in electrical substations, which can lead to blackout events similar to the impact of the Industroyer malware," it elaborated.
"The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakening," the Midnight Blue team noted, describing the engineering weakness as having a "computational step which serves no other purpose than to reduce the key's effective entropy."
But ETSI, in a statement shared with Vice, has pushed back against the term "backdoor," stating that "the TETRA security standards have been specified together with national security agencies and are designed for and subject to export control regulations which determine the strength of the encryption."
