TERA: Burst New Vulnerabilities Exposed in Widely Used
Radio Communication System.
The affected encryption algorithm is embedded in radios used for commercial purposes in critical infrastructure such as pipelines, railways, electric grids, mass transit, and freight trains. The discovered backdoor could allow unauthorized access to communications and enable potential attackers to interfere with these systems, leading to blackouts, disruptions in gas pipelines, or train rerouting.
Risks to Emergency Services Communication
Another vulnerability was found in a different part of the same radio technology used exclusively by police forces, military, intelligence agencies, and emergency services. This flaw could enable the decryption of encrypted voice and data communications, allowing the spread of misinformation or unauthorized redirection of personnel during critical situations.
The vulnerabilities were found in a European radio standard called TETRA, which has been used in radios since the 1990s. However, the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.
Although TETRA is not widely used in the US, it is utilized in at least two dozen critical infrastructures in the country. Identifying specific users is challenging because TETRA is embedded in radios supplied through resellers and system integrators.
Overview of TETRA's Development and Encryption Algorithms
The researchers discovered a total of five vulnerabilities, which they named TETRA:Burst, and reported them to the Dutch National Cyber Security Centre. The vulnerabilities were disclosed to radio vendors and computer emergency response teams worldwide to coordinate a response.
One of the vulnerabilities involves a backdoor in the TEA1 encryption algorithm, which uses a weakened key of only 32 bits, making it vulnerable to attacks. TEA1 was designed for commercial use and for radios used in critical infrastructure, but it is also used by public safety agencies and the military.
Another vulnerability affects all TETRA encryption algorithms and exploits the way TETRA handles time syncing and keystream generation. Attackers can intercept and collect encrypted communication and later decrypt it by exploiting unauthenticated and unencrypted time broadcasts.
The researchers plan to present their findings, which include the secret TETRA encryption algorithms, at a security conference. They hope the public disclosure will lead to further scrutiny and examination of the algorithms for other potential issues.
TETRA, developed in the 1990s by the European Telecommunications Standards Institute (ETSI), uses four encryption algorithms, and the vulnerabilities were found in TEA1 and the standard itself. Although TEA2, used by police and military in Europe, did not exhibit weaknesses, TEA3's suspicions were unfounded.
The discovered vulnerabilities have raised concerns, as some of the weaknesses have been known in the industry and government circles. The researchers did not find evidence of active exploitation, but leaked documents from Edward Snowden indicated that intelligence agencies like the NSA and GCHQ had targeted TETRA for eavesdropping in the past.
To address the issues, ETSI revised the TETRA standard to fix the keystream/timestamp vulnerability, and vendors developed firmware updates. However, the problem with TEA1 cannot be fixed with an update, requiring a switch to another algorithm or adding end-to-end encryption, both of which have practical challenges.
The researchers advise users of radio technologies to check with their manufacturers to determine if their devices use TETRA and what fixes or mitigations are available.
0 Comments