Headline
CVE-2023-23774: TETRA:BURST | Midnight Blue
Motorola EBTS/MBTS Site Controller drops to debug prompt on unhandled exception. The Motorola MBTS Site Controller exposes a debug prompt on the device’s serial port in case of an unhandled exception. This allows an attacker with physical access that is able to trigger such an exception to extract secret key material and/or gain arbitrary code execution on the device.
July, 2023
Introduction
TETRA:BURST is a collection of five vulnerabilities, two of which are deemed critical, affecting the Terrestrial Trunked Radio (TETRA) standard used globally by law enforcement, military, critical infrastructure, and industrial asset owners in the power, oil & gas, water, and transport sectors and beyond.
Most of the TETRA:BURST vulnerabilities affect all TETRA networks. Depending on infrastructure and device configurations, these vulnerabilities allow for realtime decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning. Firmware patches are available for some of these vulnerabilities, while compensating controls are recommended for others.
Background
TETRA was standardized by the European Telecommunications Standards Institute (ETSI) in 1995, is used in more than 100 countries, and is the most widely used police radio communication system outside the U.S. Like its North American counterpart P25 and other standards such as DMR and TETRAPOL, TETRA can be used for voice and data transmission, including in a machine-to-machine capacity.
At its core, TETRA security relies a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.
Project RE:TETRA
The use of secret, proprietary cryptography, a violation of Kerckhoffs’ Principle, has been shown to result in practically exploitable vulnerabilities in prominent telecommunications standards time and again as shown by the GSM (A5/1, A5/2), GPRS (GEA-1, GEA-2), GMR (GMR-1, GMR-2), and DECT (DSAA, DSC) standards. Despite being widely used and relying on secret cryptography, TETRA had never been subjected to in-depth public security research in its 20+ year history as a result of this secrecy.
In order to shed light on this important piece of technology, Midnight Blue was granted funding by the non-profit NLnet foundation as part of its European Commission supported NGI0 PET fund. Midnight Blue managed to reverse-engineer and publicly analyze the TAA1 and TEA algorithms for the first time, and as a result discovered the TETRA:BURST vulnerabilities.
Details on the RE:TETRA reversing process are found here.
The TETRA:BURST vulnerabilities
CVE
Description
Severity
Impact
Adversary
CVE-2022-24401
The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.
Critical
Loss of confidentiality / authenticity
Active
CVE-2022-24402
The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.
Critical
Loss of confidentiality / authenticity
Passive / active
CVE-2022-24404
Lack of ciphertext authentication on AIE allows for malleability attacks.
High
Loss of authenticity
Active
CVE-2022-24403
The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.
High
User deanonymization
Passive
CVE-2022-24400
A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.
Low
Loss of authenticity / partial loss of confidentiality
Active
CVE-2022-24401, CVE-2022-24404, CVE-2022-24402, and CVE-2022-24403 were validated and found practically exploitable in a lab setup with real TETRA radio and base station hardware.
We have recorded three demonstration videos. In the first, we demonstrate the decryption oracle attack (CVE-2022-24401) in our lab setup using an instrumented base station as an attacker platform. In the second video, we demonstrate the TEA1 backdoor (CVE-2022-24402) on a real network. The last video demonstrates the TEA1 attack running on a 1998 consumer grade laptop, as a response to claims 32 bits of entropy may have been sufficient in the mid nineties.
Publications and conferences
We have spent over two and a half year on our TETRA research, including a coordinated disclosure process that lasted over one and a half year. We will fully disclose our research results and present our work at various conferences throughout the year. Below you will find an updated list of the conferences on (aspects of) the TETRA:BURST vulnerabilities.
Date
Title
Venue
Location
August, 9th
All cops are broadcasting: breaking TETRA after decades in the shadows
Las Vegas
August, 11th
All cops are broadcasting: TETRA under scrutiny
Anaheim
August, 13th
TETRA tour de force: Jailbreaking digital radios and base stations for fun and secrets
Las Vegas
August, 17th
All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows
Berlin
October, 3rd
Kerckhoffs’ revenge
The Hague
November, 14th
Fences don’t stop radio waves: analyzing & breaking TETRA for OT
Copenhagen
Below you’ll find the USENIX academic research paper, along with the slides from the presentation at DEF CON 31. Lastly, our implementation of the TETRA cryptographic primitives is found in our github repository.
Additional details on how we extracted the TETRA cryptographic primitives from a radio, and on how we instrumented a base station for validation of certain TETRA:BURST findings can be found on this page.
Impact
The impact of the TETRA:BURST vulnerabilities depends on the use-cases and configuration aspects of a particular TETRA network.
The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.
The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.
The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.
Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.
Mitigations
As shown in the table below, remediating patches are available for some of the TETRA:BURST issues while compensating controls are available for others. A detailed advisory has been distributed to relevant stakeholders through the Dutch National Cyber-Security Centre (NCSC) and will be released publicly once the embargo on the technical details is lifted.
CVE
Recommended mitigation
Compensating controls
CVE-2022-24404,
CVE-2022-24401
Apply radio firmware patch
Renew keys frequently
CVE-2022-24402
Use E2EE
Adjust OPSEC based on risk assessment (consider TEA1 equivalent to cleartext)
CVE-2022-24400
Apply radio firmware patch
Adjust OPSEC based on risk assessment
CVE-2022-24403
Migrate to TAA2 (long-term)
Adjust OPSEC based on risk assessment (e.g. regarding subscriber identity management)
Coordinated Vulnerability Disclosure (CVD)
While the NCSC’s CVD guidelines stipulate a 6-month period for hardware and embedded systems vulnerabilities, the combined sensitivity of the systems involved, complexity of addressing the TETRA:BURST issues, and leadtime in identifying and reaching as many affected parties as possible has resulted in a disclosure process of well over 1.5 years. A publication date was chosen to find a tradeoff between giving as many asset owners as much time as possible to address these issues while simultaneously ensuring that the issues would become publicly known in a timely fashion to reach those asset owners that could not be identified or reached through private channels.
01-01-2021
Started work on the RE:TETRA project
XX-01-2022
First meetings law enforcement, intelligence community, ETSI, vendors
02-02-2022
Detailed preliminary advisory distributed to stakeholders and CERTs through NCSC-NL
2022 / 2023
Further coordination sessions held and advisory information distributed to stakeholders
24-07-2023
Public notification of issues
09-08-2023
Technical research embargo lifted
Frequently Asked Questions (FAQ)
Am I affected by TETRA:BURST?
If you operate or use a TETRA network, you are certainly affected by all vulnerabilities except CVE-2022-24402 (which only applies if your TETRA network uses TEA1). The exact impact of the issues depends on your TETRA use-case, network configuration, and particular risk profile and relevant threat landscape.
Have the TETRA:BURST vulnerabilities been abused in the wild?
While there are some indications that TETRA systems have been targeted for interception, we have no hard evidence that the TETRA:BURST vulnerabilities specifically have been exploited in the wild. However, since exploitation of most of these issues is hard (CVE-2022-24400, CVE-2022-24401, CVE-2022-24404) or impossible (CVE-2022-24402, CVE-2022-24403) to detect and at least one (CVE-2022-24402) is due to an intentionally weakened cipher - this absence of evidence is most certainly not evidence of absence.
What do you mean by backdoor?
The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakning. While the cipher itself does not seem to be a terribly weak design, there is a computational step which serves no other purpose than to reduce the key’s effective entropy. Similar weakened cryptography has played a part in flaws in GSM (A5/1, A5/2), GMR (GMR-1), GPRS (GEA-1), DMR (‘Basic’ and ‘Enhanced’ encryption), and P25 (ADP) and mostly results from export control practices (See: https://en.wikipedia.org/wiki/Crypto_Wars#PC_era) at the time of design. Unfortunately, in the decades that have passed since then, this cipher has remained in use both inside and outside Europe without loud and clear warnings being issued about its actual security posture.
Is there a fix?
See the mitigation recommendations above for a general overview and contact your national or sectoral CERT for a more detailed advisory until the research embargo lifts on the 9th of August.
Is more technical information available?
The technical details of these vulnerabilities and different aspects of the research that led up to their discovery have been published at the 2023 editions of Black Hat USA, USENIX Security, and DEF CON. The research materials (USENIX Security academic paper, Blackhat slide materials, and a link to our implementation of the TETRA cryptographic primitives) are available on this page. Additionally, a whitepaper on the security of TETRA and a whitepaper on the extraction process of the primitives from a radio, will be added shortly on this page.
Is proof-of-concept code available?
Proof-of-concept attack code will not be released due to the potential for abuse.
Where can I find the official advisories?
Official advisories should become available through the central MITRE CVE entries for the following CVE numbers: CVE-2022-24400, CVE-2022-24401, CVE-2022-24402, CVE-2022-24403, CVE-2022-24404.
Am I free to use the logo?
Yes, you are free to include the TETRA:BURST logo in any works referencing these issues. Rights waved via CC0 license. Feel free to grab the vector image from the top of the page or from https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64b4e802de8dcc67e6fef6c4_tetraburst.svg
Acknowledgements
This research was supported by the NLnet Foundation with financial support from the European Commission’s Next Generation Internet programme. We would like to thank Michiel Leenaars and Bob Goudriaan from the NLnet foundation for their support during the grant application, project management, and later coordinated disclosure process. We would also like to thank Christian Veenman and the Dutch NCSC for their extensive support and collaboration during the coordinated disclosure process.
Related news
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have