CVE-2023-23774: TETRA:BURST | Midnight Blue

July, 2023

Introduction

TETRA:BURST is a collection of five vulnerabilities, two of which are deemed critical, affecting the Terrestrial Trunked Radio (TETRA) standard used globally by law enforcement, military, critical infrastructure, and industrial asset owners in the power, oil & gas, water, and transport sectors and beyond.

Most of the TETRA:BURST vulnerabilities affect all TETRA networks. Depending on infrastructure and device configurations, these vulnerabilities allow for realtime decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning. Firmware patches are available for some of these vulnerabilities, while compensating controls are recommended for others.

Background

TETRA was standardized by the European Telecommunications Standards Institute (ETSI) in 1995, is used in more than 100 countries, and is the most widely used police radio communication system outside the U.S. Like its North American counterpart P25 and other standards such as DMR and TETRAPOL, TETRA can be used for voice and data transmission, including in a machine-to-machine capacity.

At its core, TETRA security relies a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.

Project RE:TETRA

The use of secret, proprietary cryptography, a violation of Kerckhoffs’ Principle, has been shown to result in practically exploitable vulnerabilities in prominent telecommunications standards time and again as shown by the GSM (A5/1, A5/2), GPRS (GEA-1, GEA-2), GMR (GMR-1, GMR-2), and DECT (DSAA, DSC) standards. Despite being widely used and relying on secret cryptography, TETRA had never been subjected to in-depth public security research in its 20+ year history as a result of this secrecy.

In order to shed light on this important piece of technology, Midnight Blue was granted funding by the non-profit NLnet foundation as part of its European Commission supported NGI0 PET fund. Midnight Blue managed to reverse-engineer and publicly analyze the TAA1 and TEA algorithms for the first time, and as a result discovered the TETRA:BURST vulnerabilities.

Details on the RE:TETRA reversing process are found here.

The TETRA:BURST vulnerabilities

CVE

Description

Severity

Impact

Adversary

CVE-2022-24401

The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.

Critical

Loss of confidentiality / authenticity

Active

CVE-2022-24402

The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.

Critical

Loss of confidentiality / authenticity

Passive / active

CVE-2022-24404

Lack of ciphertext authentication on AIE allows for malleability attacks.

High

Loss of authenticity

Active

CVE-2022-24403

The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.

High

User deanonymization

Passive

CVE-2022-24400

A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.

Low

Loss of authenticity / partial loss of confidentiality

Active

CVE-2022-24401, CVE-2022-24404, CVE-2022-24402, and CVE-2022-24403 were validated and found practically exploitable in a lab setup with real TETRA radio and base station hardware.

We have recorded three demonstration videos. In the first, we demonstrate the decryption oracle attack (CVE-2022-24401) in our lab setup using an instrumented base station as an attacker platform. In the second video, we demonstrate the TEA1 backdoor (CVE-2022-24402) on a real network. The last video demonstrates the TEA1 attack running on a 1998 consumer grade laptop, as a response to claims 32 bits of entropy may have been sufficient in the mid nineties.

Publications and conferences

We have spent over two and a half year on our TETRA research, including a coordinated disclosure process that lasted over one and a half year. We will fully disclose our research results and present our work at various conferences throughout the year. Below you will find an updated list of the conferences on (aspects of) the TETRA:BURST vulnerabilities.
‍

Date

Title

Venue

Location

August, 9th

All cops are broadcasting: breaking TETRA after decades in the shadows

Las Vegas

August, 11th

All cops are broadcasting: TETRA under scrutiny

Anaheim

August, 13th

TETRA tour de force: Jailbreaking digital radios and base stations for fun and secrets

Las Vegas

August, 17th

All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows

Berlin

October, 3rd

Kerckhoffs’ revenge

The Hague

November, 14th

Fences don’t stop radio waves: analyzing & breaking TETRA for OT

Copenhagen

Below you’ll find the USENIX academic research paper, along with the slides from the presentation at DEF CON 31. Lastly, our implementation of the TETRA cryptographic primitives is found in our github repository.

Additional details on how we extracted the TETRA cryptographic primitives from a radio, and on how we instrumented a base station for validation of certain TETRA:BURST findings can be found on this page.

Impact

The impact of the TETRA:BURST vulnerabilities depends on the use-cases and configuration aspects of a particular TETRA network.

The issues of most immediate concern, especially to law enforcement and military users, are the decryption oracle and malleability attacks (CVE-2022-24401 and CVE-2022-24404) which allow for interception and malicious message injection against all non-E2EE protected traffic regardless of which TEA cipher is used. This could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications.

The second issue of immediate concern, especially for critical infrastructure operators who do not use national emergency services TETRA networks, is the TEA1 backdoor (CVE-2022-24402) which constitutes a full break of the cipher, allowing for interception or manipulation of radio traffic. By exploiting this issue, attackers can not only intercept radio communications of private security services at harbors, airports, and railways but can also inject data traffic used for monitoring and control of industrial equipment. As an example, electrical substations can wrap telecontrol protocols in encrypted TETRA to have SCADA systems communicate with Remote Terminal Units (RTUs) over a Wide-area Network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to potentially perform dangerous actions such as opening circuit breakers in electrical substations or manipulate railway signalling messages.

The deanonymization issue (CVE-2022-24403) is primarily relevant in a counter-intelligence context, where it enables low-cost monitoring of TETRA users and their movements in order to allow a state or criminal adversary to avoid covert observation or serve as an early warning of impending intervention by special forces.

Finally, the DCK pinning attack (CVE-2022-24400) does not allow for a full MitM attack but does allow for uplink interception as well as access to post-authentication protocol functionality.

Mitigations

As shown in the table below, remediating patches are available for some of the TETRA:BURST issues while compensating controls are available for others. A detailed advisory has been distributed to relevant stakeholders through the Dutch National Cyber-Security Centre (NCSC) and will be released publicly once the embargo on the technical details is lifted.

CVE

Recommended mitigation

Compensating controls

CVE-2022-24404,
CVE-2022-24401

Apply radio firmware patch

Renew keys frequently

CVE-2022-24402

Use E2EE

Adjust OPSEC based on risk assessment (consider TEA1 equivalent to cleartext)

CVE-2022-24400

Apply radio firmware patch

Adjust OPSEC based on risk assessment

CVE-2022-24403

Migrate to TAA2 (long-term)

Adjust OPSEC based on risk assessment (e.g. regarding subscriber identity management)

Coordinated Vulnerability Disclosure (CVD)

While the NCSC’s CVD guidelines stipulate a 6-month period for hardware and embedded systems vulnerabilities, the combined sensitivity of the systems involved, complexity of addressing the TETRA:BURST issues, and leadtime in identifying and reaching as many affected parties as possible has resulted in a disclosure process of well over 1.5 years. A publication date was chosen to find a tradeoff between giving as many asset owners as much time as possible to address these issues while simultaneously ensuring that the issues would become publicly known in a timely fashion to reach those asset owners that could not be identified or reached through private channels.

01-01-2021

Started work on the RE:TETRA project

XX-01-2022

First meetings law enforcement, intelligence community, ETSI, vendors

02-02-2022

Detailed preliminary advisory distributed to stakeholders and CERTs through NCSC-NL

2022 / 2023

Further coordination sessions held and advisory information distributed to stakeholders

24-07-2023

Public notification of issues

09-08-2023

Technical research embargo lifted

Frequently Asked Questions (FAQ)

Am I affected by TETRA:BURST?

If you operate or use a TETRA network, you are certainly affected by all vulnerabilities except CVE-2022-24402 (which only applies if your TETRA network uses TEA1). The exact impact of the issues depends on your TETRA use-case, network configuration, and particular risk profile and relevant threat landscape.

Have the TETRA:BURST vulnerabilities been abused in the wild?

While there are some indications that TETRA systems have been targeted for interception, we have no hard evidence that the TETRA:BURST vulnerabilities specifically have been exploited in the wild. However, since exploitation of most of these issues is hard (CVE-2022-24400, CVE-2022-24401, CVE-2022-24404) or impossible (CVE-2022-24402, CVE-2022-24403) to detect and at least one (CVE-2022-24402) is due to an intentionally weakened cipher - this absence of evidence is most certainly not evidence of absence.

What do you mean by backdoor?

The vulnerability in the TEA1 cipher (CVE-2022-24402) is obviously the result of intentional weakning. While the cipher itself does not seem to be a terribly weak design, there is a computational step which serves no other purpose than to reduce the key’s effective entropy. Similar weakened cryptography has played a part in flaws in GSM (A5/1, A5/2), GMR (GMR-1), GPRS (GEA-1), DMR (‘Basic’ and ‘Enhanced’ encryption), and P25 (ADP) and mostly results from export control practices (See: https://en.wikipedia.org/wiki/Crypto_Wars#PC_era) at the time of design. Unfortunately, in the decades that have passed since then, this cipher has remained in use both inside and outside Europe without loud and clear warnings being issued about its actual security posture.

Is there a fix?

See the mitigation recommendations above for a general overview and contact your national or sectoral CERT for a more detailed advisory until the research embargo lifts on the 9th of August.

Is more technical information available?

The technical details of these vulnerabilities and different aspects of the research that led up to their discovery have been published at the 2023 editions of Black Hat USA, USENIX Security, and DEF CON. The research materials (USENIX Security academic paper, Blackhat slide materials, and a link to our implementation of the TETRA cryptographic primitives) are available on this page. Additionally, a whitepaper on the security of TETRA and a whitepaper on the extraction process of the primitives from a radio, will be added shortly on this page.

Is proof-of-concept code available?

Proof-of-concept attack code will not be released due to the potential for abuse.

Where can I find the official advisories?

Official advisories should become available through the central MITRE CVE entries for the following CVE numbers: CVE-2022-24400, CVE-2022-24401, CVE-2022-24402, CVE-2022-24403, CVE-2022-24404.

Am I free to use the logo?

Yes, you are free to include the TETRA:BURST logo in any works referencing these issues. Rights waved via CC0 license. Feel free to grab the vector image from the top of the page or from https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64b4e802de8dcc67e6fef6c4_tetraburst.svg

Acknowledgements

This research was supported by the NLnet Foundation with financial support from the European Commission’s Next Generation Internet programme. We would like to thank Michiel Leenaars and Bob Goudriaan from the NLnet foundation for their support during the grant application, project management, and later coordinated disclosure process. We would also like to thank Christian Veenman and the Dutch NCSC for their extensive support and collaboration during the coordinated disclosure process.