Click for homepage
TETRA
  
TEA1 →
TAA →
  
9 August 2023 — We are now able to share the reverse-engineered C-source code of the TAA1, TEA1, TEA2 and TEA3 algorithms. This clearly shows the weakness in TEA1. Also published is a paper on TETRA:BURST, written by the Midnight Blue researchers Carlo Meijer, Wouter Bokslag and Jos Wetzels.  More
TETRA:BURST
Vulnerabilities in TETRA radio networks

On 24 July 2023, researchers of the Dutch security firm Midnight Blue revealed that they had found five vulnerabilities in the authentication and encryption algorithms of the TETRA radio network, which is used in the critical infrastructure of more than 100 countries. Two of the vulnerabilities are deemed critical. One of them appears to be an intentional backdoor [1].


The vulnerabilities were discovered during the course of 2020, and were reported to the NCSC in the Netherlands in December of that year. It was decided to hold off public disclosure until July 2023, to give emergency services and equipment suppliers the ability to patch the equipment.


Reverse-engineering   RE:TETRA
Several algorithm suites and cryptographic primitives are used at the core of the TETRA protocol, in particular TAA for authentication, and TEA for encryption. As these algorithms are secret, they have never been publicly disclosed and, hence, have never been subjected to in-depth public scrutiny. In order to find any vulnerabilities in the code, the researchers therefore first had to reverse-engineer the TAA and TEA algorithms, which appeared to be not trivial at all.

The reverse-engineering project — codenamed RE:TETRA — was started on 1 January 2020, with funding from the non-profit NLnet foundation, as part of the latter's European Commission supported NGI0 PET fund. Once the reverse-engineering was completed, the researchers were able to isolate and analyse the cryptographic functions.


Platform
For reverse-engineering, a Motorola MTM-5400 commercial off-the-shelf (COTS) mobile radio was used, along with associated firmware upgrades obtained through amateur radio forums. Reading the contents of a firmware upgrade is not trivial though, as it is heavily encrypted and relies on a Trusted Execution Environment (TEE), embedded in the core processor of the radio.

The MTM-5000 series is built around a Texas Instruments OMAP-L138 System on Chip (SoC), which contains an ARM core and TI C6748 DSP. It offers secure boot by means of TEE, as a result of which confidential code can be loaded and executed without revealing its implementation. This is how the TETRA algorithms are protected.

In order to execute arbitrary code on the ARM core, the researchers first had to exploit another series of known vulnerabilities, using a serial AT command interface as the attack surface and performing a cache-timing side channel attack.
  
Click to see more

With the ARM core and the DSP now firmly under control of the attackers, the MBM-5000 series can be used as a development platform for researchers, allowing in-depth security research into TETRA, which will hopefully improve overall TETRA security. The Midnight Blue researchers have announced that they will publicly release the tools for unpacking Motorola firmware upgrade packages, as well as utilities for instrumenting, debugging, monitoring and packet injection.


Vulnerabilities   TETRA:BURST
Once the software had been reverse-engineered, the researchers were able to do in-depth security research with the aim to find vulnerabilities and ultimately mount an attack. Over the course of one year, the following vulnerabilities were discovered:

  1. Dependence on network time
    The Air Interface Encryption (AIE) keystream relies on network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks and may lead to loss of confidentiality and authenticity. This vulnerability is deemed critical.
    CVE-2022-24401 · This problem can be fixed by installing a firmware upgrade.
    ★★★★★

  2. Backdoor in TEA1
    The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a size which is trivially brute-forceable on consumer hardware in minutes. This is a critical flaw that leads to loss of confidentiality and authenticity. The researchers believe that this is a deliberately created weakness to provide intelligence services access to the traffic.
    CVE-2022-24402 · This problem can be fixed by using E2EE on top of TEA1.
    ★★★★★

  3. Lack of ciphertext authentication
    The lack of ciphertext authentication of AIE allows for malleability attacks. This may eventually lead to loss of authenticity.
    CVE-2022-24404 · This problem can be fixed by installing a firmware upgrade.
    ★★★★

  4. Weak anonymisation
    The cryptographic scheme used to obfuscate radio identities, has a weak design that allows attackers to deanonymize and track users.
    CVE-2022-24403 · This problem can be fixed by using E2EE on top of TEA1.
    ★★★

  5. DCK can be set to 0
    A flaw in the authentication algorithm allows attackers to set the Derived Cipher Key (DCK) to 0. This may lead to loss of authenticity and partial loss of confidentially.
    CVE-2022-24400 · This problem can be fixed by migrating to TAA2 (long-term).
ETSI's reply   24 Aug 2023
The TETRA encryption algorithms were implemented in 1996 and 1997 by or on behalf of the Security Experts Group of the European Telecommunications Standards Insitute (ETSI-SAGE). It is ETSI's policy not to disclose their cryptographic algorithms and not to submit them to public in-depth security research, other than validation by the other ETSI-SAGE members, claiming that obscurity is also a form of security [7]. Researchers often see this as a violation of Kerckhoffs's Principle however [5], which in the long run can potentially lead to weak exploitable systems.

On the day of the TETRA:BURST disclosures, ETSI issued a press statement in which the findings of the researchers were largely downplayed, claiming that improvements were already underway and that no actual exploitations of operational networks were known at the time [6].

The Midnight Blue researchers have since demonstrated real-life exploitations of some of the vulnerabilities, for example at the 2023 Blackhat Conference in Las Vegas (USA). They have shown that TETRA communications secured with the TEA1 encryption algorithm can be broken in one minute on a regular commercial laptop and in 12 hours on a classic laptop from 1998 [III].




Demonstrations
1. Dependence on network time
★★★★★ CVE-2022-24401

In the video below, the first critical vulnerability (CVE-2022-24401) is demonstrated. It shows a decryption oracle attack that is based on the fact that the Air Interface Encryption (AIE) keystream relies on network time, which is publicly broad­cast in an unauthenticated manner. The video shows a lab setup in which an instrumented base station is used as an attacker platform.
  


2. Backdoor in TEA1
★★★★★ CVE-2022-24402

Midnight Blue researchers discovered a backdoor in the TEA1 encryption algorithm, which had clearly been added deliberately, probably to give inteligence services access to the system. In the video below, the TEA1 backdoor is demonstrated on a real network. After breaking the initial key — one minute on a regular laptop — the rest of the traffic can be read without any problems.
  


3. Breaking TEA1 on a 1998 laptop
★★★★★ CVE-2022-24401

After the TETRA:BURST vulnerabilities were dis­closed on 24 July 2023, the European standards body ETSI downplayed the discoveries, saying that the short TEA1 key is not a real backdoor, and that a key length of 32 bits was appropriate when the standard was issued in the late 1990s.

To bust these claims, the researchers have run their TEA1 cracking tool on an old 1998 Toshiba laptop, running Microsoft Windows 95 on a Pentium II at 266 MHz. The key was found after 12.5 hours, which demonstrates that even in the late 1990s an attack would have been realistic.
  




TETRA Encryption Algorithms   TEA
TEA is a set of encryption algorithms that can be used for Air Interface Encryption (AIE) in the TETRA communications system. It consists of four variants (TEA1, TEA2, TEA3 and TEA4), with differing levels of security, depending on the application. The algorithms are simple yet strong, and can easily be implemented in both hard- and software. All TEA variants use an 80-bit key.

The structure of the TAA and TEA algorithms, including the HURDLE block cipher used in TAA, is described in detail in a paper by Carlo Meijer, Wouter Bokslag and Jos Wetzels — all involved in the TETRA:BURST vulnerability research at Midnight Blue [I].

 Read the paper
 Reverse-engineered source code
 Overview of TEA algorithms


TEA1 algorithm
The TEA1 algorithm was intended for commercial applications and restricted export. Its structure is very similar to TEA2, but the 80-bit key is manipulated in such a way that it becomes a 32-bit key, which can be broken with a brute-force attack on a regular commercial laptop in around one minute. The source code snippet below shows how the key length is reduced.

     int32_t tea1_init_key_register(const uint8_t *lpKey) {
         int32_t dwResult = 0;
         for (int i = 0; i < 10; i++) {
             dwResult = (dwResult << 8) |
             g_abTea1Sbox[((dwResult >> 24) ^ lpKey[i] ^ dwResult) & 0xff];
         }
         return dwResult;
     }
     
    
The key consists of 80 bits, which is equal to 10 bytes. In the above code, the 10 bytes are processed one at a time, and then shifted into the result (
dwResult
) register. However, as the
dwResult
register is only 32 bits wide, the first 48 bits are shifted out and the key consists of the last 32 bits only, which is trivially short for a brute-force attack.

Although the short key length can be seen as a backdoor — it is a deliberate weakening — this is disputed by the original developer, as it was done in plain sight and not hidden in some complex code, function or table [3]. The short key length was simply an ETSI requirement. Any company that had to implement the algorithm in its equipment, had access to the design specification and must have been aware of the limitation [3]. This is corroborated by Gert Roelofsen in an interview with De Volkskrant on 29 July 2023, in which he states that the government had been aware of it for the past 30 years [2]. At the time, Roelofsen was on the ETSI experts team on behalf of KPN.

 More about TEA1


TEA2 algorithm
TEA2 was developed for European emergency services, and is arguably the strongest of the four algorithms. It uses the full 80-bit key length. If we assume that a 32-bit key can be broken in one minute – as with TEA1 above – we can calculate how long it would take to brute-force an 80-bit key. As each bit doubles the required time, the total time needed is:

60 × 248 [sec] ≈ 535 milion years

If there is no known way to break the cipher other than by means of a brute-force attack, this algorithm can be assumed secure.

 More about TEA2


TEA3 algorithm
TEA3 is intended for emergency services outside Europe. It is similar to TEA2 and does not have the weakness of TEA1 (i.e. the reduced key length). Although it is likely that TEA3 is stronger than TEA1 and TEA4, it is also likely that it is weaker than TEA2. So far, the researchers have not found any weaknesses in this cipher, but acknowledge the need for further research.

 More about TEA3


TEA4 algorithm
The TEA4 algorithm is intended for commercial use and restricted access, just like TEA1, which suggests that it also has a built-in weakness. However, as no implementation of this cipher was available on the Motorola target MTM-5400 platform, the researchers were unable to review the algorithm. It seems likely though, that it has similar weaknesses to TEA1.

 More about TEA4


Exploitation
Although there is no direct proof of actual exploitation of a TETRA network, it seems likely that malicious parties are interested in reading or interfering with TETRA traffic. The simple fact that no exploitations are known [6], does not mean that they do not exist. The TETRA:BURST project shows that reverse-engineering of the cryptographic primitives is feasible with limited resources.

A weakness like the reduced key length of TEA1 is so obvious that it will certainly have been noticed and exploited. Apart from the possibility of reverse-engineering, an adversary would not be hampered by legal restrictions, and might use leaked or stolen documentation instead.


Responsible disclosure
Below is a timeline of events since the start of the reverse-engineering project RE:TETRA on 1 January 2021 and the first public disclosure on 24 July 2023. The Dutch NCSC (NCSC-NL) was informed in December 2021, after which meetings were held with the law enforcement and intelligence communities, as well as with ETSI and the vendors. Shortly afterwards, on 2 February 2022, preliminary advice was distributed to the various stakeholders and CERTs. The remainder of 2022 and the first half of 2023 were used for coordination and advisory sessions with stake­holders, allowing manufacturers to come up with firmware patches, updates or workarounds.


The time between the first contact with NCSC-NL and the public disclosure of the vulnerabilities, is a carefully chosen tradeoff between giving asset owners as much time as possible and the right of the public to know. The 1.5+ years inbetween were used to find as many stakeholders as possible and inform/advice them, so that software updates and mitigations could be devoloped.


Events
The Midnight Blue researchers will present their finding at the following events and conferences:

Publications
  1. Carlo Meijer, Wouter Bokslag and Jos Wetzels,
    All cops are broadcasting: TETRA under scrutiny

    Paper submitted to Crypto Museum. 9 August 2023.

  2. Full source code of TAA1, TEA1, TEA2 and TEA3 algorithms in C
    Reverse-engineered and used for analysis and real life tests.
    Midnight Blue, 9 August 2023.

  3. All Cops Are Broadcasting, Breaking TETRA after decades in the shadows
    Presentation by Jos Wetzels, Carlo Meijer and Wouter Bokslag at Black Hat 2023.
    Midnight Blue, 9 August 2023
Further source codes on GitHub
Datasheets
  1. OMAP-L138 processor documentation
    Texas Instruments website.

  2. TMS320 DSP documentation
    Texas Instruments website.
References
  1. TETRA:BURST
    Midnight Blue, 24 July 2023.

  2. Huib Modderkolk, Overheid weet al dertig jaar van 'achterdeur' in beveiliging radiocommunicatie
    De Volkskrant, 29 July 2023.

  3. Cees Jansen, TEA co-developer at Philips Crypto BV
    Personal correspondence. Crypto Museum, 2 August 2023.

  4. Royal Holloway, University of London, Impact case study (REF3b)
    Design of a block cipher used in TETRA secure radio.
    REF2014. Undated but probably 2014.

  5. Wikipedia, Kerckhoffs's principle
    Retrieved 5 August 2023.

  6. ETSI and TCCA Statement to
    TETRA Security Algorithms Research Findings Publication on 24 July 2023

    ETSI/TCCA. Sophia Antipolis, 24 July 2023.

  7. Kim Zetter, Interview with the ETSI Standards Organisation That Created TETRA "Backdoor"
    Interview between Kim Zetter and Brian Murgatroyd, Chairman ETSI TC TETRA.
    Zero Day website, 25 July 2023.

  8. ETSI and TCCA Statement to
    TETRA Security Algorithms Research Findings Publication on 24 July 2023

    ETSI/TCCA. Sophia Antipolis, 24 July 2023.
Further information
Other websites
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Tuesday 08 August 2023. Last changed: Saturday, 26 August 2023 - 07:00 CET.
Click for homepage