|
|
|
|
|
|
|
TETRA TEA1 → TAA →
9 August 2023 —
We are now able to share the reverse-engineered C-source code of
the TAA1, TEA1, TEA2 and TEA3 algorithms. This clearly shows
the weakness in TEA1. Also published is a paper on TETRA:BURST,
written by the Midnight Blue researchers Carlo Meijer, Wouter Bokslag
and Jos Wetzels.
➤ More
Vulnerabilities in TETRA radio networks
On 24 July 2023, researchers of the Dutch security firm
Midnight Blue revealed
that they had found five vulnerabilities in the authentication and
encryption algorithms of the TETRA radio network, which is used in
the critical infrastructure of more than 100 countries.
Two of the vulnerabilities are deemed critical. One of them
appears to be an intentional backdoor [1].
The vulnerabilities were discovered during the course of 2020, and were
reported to the NCSC in the Netherlands in December of that year. It was
decided to hold off public disclosure until July 2023, to give emergency
services and equipment suppliers the ability to patch the equipment.
|
|
|
Reverse-engineering
RE:TETRA
|
|
|
Several algorithm suites and cryptographic primitives are used at the
core of the TETRA protocol, in particular TAA for authentication,
and TEA for encryption.
As these algorithms are secret, they have never been
publicly disclosed and, hence, have never been subjected to in-depth
public scrutiny. In order to find any vulnerabilities in the
code, the researchers therefore first had to reverse-engineer the
TAA and TEA algorithms, which appeared to be not trivial at all.
The reverse-engineering project — codenamed RE:TETRA — was started
on 1 January 2020, with funding from the non-profit
NLnet foundation, as part of the latter's
European Commission supported NGI0 PET fund.
Once the reverse-engineering was completed, the researchers were
able to isolate and analyse the cryptographic functions.
|
|
For reverse-engineering, a Motorola MTM-5400
commercial off-the-shelf (COTS) mobile radio was used,
along with associated firmware upgrades obtained through
amateur radio forums. Reading the contents of a firmware upgrade
is not trivial though, as it is heavily encrypted and relies
on a Trusted Execution Environment (TEE), embedded in
the core processor of the radio.
|
The MTM-5000 series
is built around a Texas Instruments
OMAP-L138
System on Chip (SoC), which contains an
ARM core and TI C6748 DSP.
It offers secure boot by means of TEE,
as a result of which confidential code can be loaded
and executed without revealing its implementation.
This is how the TETRA algorithms are protected.
In order to execute arbitrary code on the ARM core,
the researchers first had to exploit another series of
known vulnerabilities, using a serial AT command interface
as the attack surface and performing a cache-timing side
channel attack.
|
|
|
With the ARM core and the DSP now firmly under control of the attackers,
the MTM-5000 series
can be used as a development platform for researchers,
allowing in-depth security research into TETRA, which will hopefully
improve overall TETRA security.
The Midnight Blue researchers have announced
that they will publicly release the tools for unpacking Motorola
firmware upgrade packages, as well as utilities for instrumenting, debugging,
monitoring and packet injection.
|
|
|
Vulnerabilities
TETRA:BURST
|
|
|
|
Once the software had been reverse-engineered, the researchers were
able to do in-depth security research with the aim to find vulnerabilities
and ultimately mount an attack. Over the course of one year,
the following vulnerabilities were discovered:
|
- Dependence on network time
The Air Interface Encryption (AIE) keystream relies on network time,
which is publicly broadcast in an unauthenticated manner. This allows
for decryption oracle attacks and may lead to loss of
confidentiality and authenticity. This vulnerability is deemed critical.
CVE-2022-24401 ·
This problem can be fixed by installing a firmware upgrade.
★★★★★
- Backdoor in TEA1
The TEA1 algorithm has a backdoor that reduces the original
80-bit key to a size which is trivially brute-forceable on consumer
hardware in minutes. This is a critical flaw that leads to loss of
confidentiality and authenticity. The researchers believe that this
is a deliberately created weakness to provide intelligence services
access to the traffic.
CVE-2022-24402 ·
This problem can be fixed by using E2EE on top of TEA1.
★★★★★
- Lack of ciphertext authentication
The lack of ciphertext authentication of AIE allows for
malleability attacks. This may eventually lead to loss of authenticity.
CVE-2022-24404 ·
This problem can be fixed by installing a firmware upgrade.
★★★★
- Weak anonymisation
The cryptographic scheme used to obfuscate radio identities, has a weak
design that allows attackers to deanonymize and track users.
CVE-2022-24403 ·
This problem can be fixed by using E2EE on top of TEA1.
★★★
- DCK can be set to 0
A flaw in the authentication algorithm allows attackers to set the
Derived Cipher Key (DCK) to 0.
This may lead to loss of authenticity and partial loss of confidentially.
CVE-2022-24400 ·
This problem can be fixed by migrating to TAA2 (long-term).
★
|
The TETRA encryption algorithms were implemented in 1996 and 1997 by
or on behalf of the
Security Experts Group of the
European Telecommunications Standards Insitute
(ETSI-SAGE).
It is ETSI's policy not to disclose their cryptographic algorithms
and not to submit them to public in-depth security research,
other than validation by the other ETSI-SAGE members, claiming that
obscurity is also a form of security [7]. Researchers
often see this as a violation of Kerckhoffs's Principle however [5],
which in the long run can potentially lead to weak exploitable systems.
On the day of the TETRA:BURST disclosures,
ETSI issued a press statement in which the findings of the
researchers were largely downplayed, claiming that improvements
were already underway and that no actual exploitations of operational
networks were known at the time [6].
The Midnight Blue researchers have since demonstrated real-life
exploitations of some of the vulnerabilities, for example at the
2023 Blackhat Conference in Las Vegas (USA). They have shown that
TETRA communications secured with the TEA1 encryption algorithm
can be broken in one minute on a regular commercial laptop and in 12 hours
on a classic laptop from 1998 [III].
|
|
|
1. Dependence on network time
|
|
|
In the video below, the first critical vulnerability (CVE-2022-24401) is
demonstrated. It shows a decryption oracle attack that is based on the
fact that the Air Interface Encryption (AIE) keystream relies on network time,
which is publicly broadcast in an unauthenticated manner. The video shows a
lab setup in which an instrumented base station is used as an attacker platform.
|
|
|
Midnight Blue researchers discovered a backdoor in the TEA1
encryption algorithm, which had clearly been added deliberately, probably
to give inteligence services access to the system.
In the video below, the TEA1 backdoor is demonstrated on a real network.
After breaking the initial key — one minute on a regular laptop —
the rest of the traffic can be read without any problems.
|
|
|
|
|
3. Breaking TEA1 on a 1998 laptop
|
|
|
After the TETRA:BURST vulnerabilities were disclosed on 24 July 2023,
the European standards body ETSI downplayed the
discoveries, saying that the short TEA1 key is not a real backdoor,
and that a key length of 32 bits was appropriate when the standard was
issued in the late 1990s.
To bust these claims, the researchers have run their TEA1 cracking
tool on an old 1998 Toshiba laptop, running Microsoft Windows 95
on a Pentium II at 266 MHz. The key was found after 12.5 hours,
which demonstrates that even in the late 1990s an attack would
have been realistic.
|
|
|
|
|
TETRA Encryption Algorithms
TEA
|
|
|
TEA is a set of encryption algorithms that can be used for
Air Interface Encryption (AIE) in the TETRA communications system.
It consists of four variants (TEA1, TEA2, TEA3 and TEA4), with
differing levels of security, depending on the application. The algorithms
are simple yet strong, and can easily be implemented in both hard- and
software. All TEA variants use an 80-bit key.
The structure of the TAA and TEA algorithms, including the
HURDLE block cipher used in TAA, is described in detail in a paper
by Carlo Meijer, Wouter Bokslag and Jos Wetzels — all
involved in the TETRA:BURST vulnerability research at
Midnight Blue [I].
➤ Read the paper
➤ Reverse-engineered source code
➤ Overview of TEA algorithms
|
|
The TEA1 algorithm was intended for commercial applications and
restricted export.
Its structure is very similar to TEA2,
but the 80-bit key is manipulated in such a way that it becomes
a 32-bit key, which can be broken with a brute-force attack
on a regular commercial laptop in around one minute.
The source code snippet below shows how the key length is reduced.
|
int32_t tea1_init_key_register(const uint8_t *lpKey) {
int32_t dwResult = 0;
for (int i = 0; i < 10; i++) {
dwResult = (dwResult << 8) |
g_abTea1Sbox[((dwResult >> 24) ^ lpKey[i] ^ dwResult) & 0xff];
}
return dwResult;
}
|
|
The key consists of 80 bits, which is equal to 10 bytes.
In the above code, the 10 bytes are processed one at a time, and then shifted
into the result ( dwResult ) register. However, as the dwResult
register is only 32 bits wide, the first 48 bits are shifted out
and the key consists of the last 32 bits only, which is trivially
short for a brute-force attack.
Although the short key length can be seen as a backdoor
— it is a deliberate weakening —
this is disputed by one of the original developers — Cees Jansen —
as it was done in plain sight and not hidden in some complex code,
function or table [9].
The short key length was simply an ETSI requirement.
Any company that had to implement the algorithm in its equipment,
had access to the design specification and must have been aware
of the limitation [3].
This is corroborated by Gert Roelofsen in an interview with
De Volkskrant on 29 July 2023, in which he states that the government
had been aware of it for the past 30 years [2]. At the time, Roelofsen
was on the ETSI experts team on behalf of the major Dutch telecom
provider KPN.
➤ More about TEA1
|
TEA2 was developed for European emergency services, and is arguably
the strongest of the four algorithms. It uses the full 80-bit key
length. If we assume that a 32-bit key can be broken in one
minute – as with TEA1 above – we can calculate how long it would take
to brute-force an 80-bit key. As each bit doubles the required time,
the total time needed is:
60 × 248 [sec] ≈ 535 milion years
|
If there is no known way to break the cipher other than by means of
a brute-force attack, this algorithm can be assumed secure.
➤ More about TEA2
|
TEA3 is intended for emergency services outside Europe.
It is similar to TEA2 and does not have the weakness of
TEA1 (i.e. the reduced key length). Although it is likely that
TEA3 is stronger than TEA1 and TEA4, it is also likely
that it is weaker than TEA2. So far, the researchers have not found
any weaknesses in this cipher, but acknowledge the need for further
research.
➤ More about TEA3
|
The TEA4 algorithm is intended for commercial use and restricted
access, just like TEA1, which suggests that it also has a
built-in weakness. However, as no implementation of this
cipher was available on the Motorola target MTM-5400 platform,
the researchers were unable to review the algorithm.
It seems likely though, that it has similar weaknesses to TEA1.
➤ More about TEA4
|
Although there is no direct proof of actual exploitation of a TETRA
network, it seems likely that malicious parties are interested in reading
or interfering with TETRA traffic. The simple fact that no exploitations
are known [6], does not mean that they do not exist.
The TETRA:BURST
project shows that reverse-engineering of the cryptographic primitives
is feasible with limited resources.
A weakness like the reduced key
length of TEA1 is so obvious that it will certainly have been
noticed and exploited. Apart from the possibility of reverse-engineering,
an adversary would not be hampered by legal restrictions,
and might use leaked or stolen documentation instead.
|
Below is a timeline of events since the start of the reverse-engineering
project RE:TETRA on 1 January 2021 and the first public disclosure on 24 July
2023. The Dutch NCSC (NCSC-NL) was informed in December 2021, after which
meetings were held with the law enforcement and intelligence communities,
as well as with ETSI and the vendors. Shortly afterwards, on 2 February 2022,
preliminary advice was distributed to the various stakeholders and CERTs.
The remainder of 2022 and the first half of 2023 were used for coordination
and advisory sessions with stakeholders, allowing manufacturers to come
up with firmware patches, updates or workarounds.
The time between the first contact with NCSC-NL and the public disclosure
of the vulnerabilities, is a carefully chosen tradeoff between giving
asset owners as much time as possible and the right of the public to know.
The 1.5+ years inbetween were used to find as many stakeholders as
possible and inform/advice them, so that software updates and mitigations
could be devoloped.
|
|
The Midnight Blue researchers will present their finding at the following
events and conferences:
|
|
|
Further source codes on GitHub
|
|
|
- TETRA:BURST
Midnight Blue, 24 July 2023.
- Huib Modderkolk, Overheid weet al dertig jaar van 'achterdeur' in beveiliging radiocommunicatie
De Volkskrant, 29 July 2023.
- Cees Jansen, TEA co-developer at Philips Crypto BV
Personal correspondence.
Crypto Museum, 2 August 2023.
- Royal Holloway, University of London, Impact case study (REF3b)
Design of a block cipher used in TETRA secure radio.
REF2014. Undated but probably 2014.
- Wikipedia, Kerckhoffs's principle
Retrieved 5 August 2023.
- ETSI and TCCA Statement to
TETRA Security Algorithms Research Findings Publication on 24 July 2023
ETSI/TCCA. Sophia Antipolis, 24 July 2023.
- Kim Zetter, Interview with the ETSI Standards Organisation That Created TETRA "Backdoor"
Interview between Kim Zetter and Brian Murgatroyd, Chairman ETSI TC TETRA.
Zero Day website, 25 July 2023. 1
- ETSI and TCCA Statement to
TETRA Security Algorithms Research Findings Publication on 24 July 2023
ETSI/TCCA. Sophia Antipolis, 24 July 2023.
- Cees Jansen, De Crypto van C2000
2 August 2023.
|
 |
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Tuesday 08 August 2023. Last changed: Tuesday, 11 June 2024 - 09:22 CET.
|
|
|
|
|
