In a brief email, NCSC spokesperson Miral Scheffer called TETRA “a crucial foundation for mission-critical communication in the Netherlands and around the world” and emphasized the need for such communications to always be reliable and secure, “especially during crisis situations.” She confirmed the vulnerabilities would let an attacker in the vicinity of impacted radios “intercept, manipulate or disturb” communications and said the NCSC had informed various organizations and governments, including Germany, Denmark, Belgium, and England, advising them how to proceed. A spokesperson for DHS’s Cybersecurity and Infrastructure Security Agency said they are aware of the vulnerabilities but wouldn’t comment further.
The researchers say anyone using radio technologies should check with their manufacturer to determine if their devices are using TETRA and what fixes or mitigations are available.
The researchers plan to present their findings next month at the BlackHat security conference in Las Vegas, when they will release detailed technical analysis as well as the secret TETRA encryption algorithms that have been unavailable to the public until now. They hope others with more expertise will dig into the algorithms to see if they can find other issues.
TETRA was developed in the ’90s by the European Telecommunications Standards Institute, or ETSI. The standard includes four encryption algorithms—TEA1, TEA2, TEA3, and TEA4—that can be used by radio manufacturers in different products, depending on their intended use and customer. TEA1 is for commercial uses; for radios used in critical infrastructure in Europe and the rest of the world, though, it is also designed for use by public safety agencies and military, according to an ETSI document, and the researchers found police agencies that use it.
TEA2 is restricted for use in Europe by police, emergency services, military, and intelligence agencies. TEA3 is available for police and emergency services outside Europe—in countries deemed “friendly” to the EU, such as Mexico and India; those not considered friendly—such as Iran—only had the option to use TEA1. TEA4, another commercial algorithm, is hardly used, the researchers say.
The vast majority of police forces around the world, aside from the US, use TETRA-based radio technology, the researchers found, after conducting open source research. TETRA is used by police forces in Belgium and the Scandinavian countries, East European countries like Serbia, Moldova, Bulgaria, and Macedonia, as well as in the Middle East in Iran, Iraq, Lebanon, and Syria.
Additionally, the Ministries of Defense in Bulgaria, Kazakhstan, and Syria use it. The Polish military counterintelligence agency uses it, as does the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence service, to name just a few.
Critical infrastructure in the US and other countries use TETRA for machine-to-machine communication in SCADA and other industrial control system settings—especially in widely distributed pipelines, railways, and electric grids, where wired and cellular communications may not be available.
Although the standard itself is publicly available for review, the encryption algorithms are only available with a signed NDA to trusted parties, such as radio manufacturers. The vendors have to include protections in their products to make it difficult for anyone to extract the algorithms and analyze them.