On July 24, a group of researchers at Midnight Blue announced TETRA:BURST, a set of five new vulnerabilities affecting the TETRA standard for radio communication. The vulnerabilities, at least one of which is an intentional backdoor, allow attackers to intercept and inject radio traffic used in a variety of settings, such as voice communication for police, military and emergency units worldwide as well as data transmission for railway signaling, SCADA WAN networking in power grids and other critical infrastructure functions.
Full details of the vulnerabilities will be presented at the Black Hat security conference. In this blog post, we discuss some details of TETRA:BURST, its impact and what organizations can do to mitigate risks.
What are TETRA and TETRA:BURST?
Terrestrial Trunked Radio (TETRA) is a radio system standardized by the European Telecommunications Standards Institute (ETSI) in 1995. It was designed to be used globally by government agencies, the military, emergency services, railways, transport services and other critical infrastructure sectors.
TETRA is used in more than 100 countries and is the most widely used police radio communication system outside the U.S.
TETRA security relies on a set of secret, proprietary cryptographic algorithms. The TAA1 suite is used for authentication and key distribution, while TEA1-4 algorithms are used for voice and data encryption.
The use of proprietary cryptography is known to be problematic and has led to exploitable vulnerabilities in previous standards such as A5/2 and COMP128 for GSM, GEA-1 for GPRS, and GMR for satellite phones. As a result, although TETRA is such an important piece of critical infrastructure, there had been no public research on weaknesses in TETRA cryptography until now.
TETRA:BURST is a set of five new CVEs that highlight fundamental weaknesses, at least one of which is intentional, in the TAA1 and TEA algorithms, as shown below.
|CVE-2022-24401||The air interface encryption (AIE) keystream relies on the network time, which is publicly broadcast. This allows for delayed decryption oracle attacks.||Critical||Loss of confidentiality / authenticity||Active|
|CVE-2022-24402||The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.||Critical||Loss of confidentiality / authenticity||Passive / Active|
|CVE-2022-24403||The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.||High||User deanonymization||Passive|
|CVE-2022-24404||Lack of cryptographic integrity check on TETRA air-interface encrypted traffic leading to malleability attack.||High||Loss of authenticity||Active|
|CVE-2022-24400||A flaw in the authentication algorithm allows attackers to set the derived cypher key (DCK) to 0.||Low||Loss of authenticity / partial loss of confidentiality||Active|
The impact of the issues above is highly dependent on how TETRA is used by organizations, such as whether it transmits voice or data and which cryptographic algorithm is in place.
For police and military units, for instance, which typically rely on TEA2 or TEA3 in European or allied countries, the deanonymization attack enabled by CVE-2022-24403 may be critical, since those units should not be trackable based on their radio communications. The decryption attacks enabled by CVE-2022-24401 and CVE-2022-24404 are also very problematic in this setting, since confidentiality is paramount for the messages exchanged among these units.
For critical infrastructure operators, which typically rely on TEA1 encryption or use cleartext communications if they do not share their TETRA infrastructure with national emergency networks, CVE-2022-24402 is probably the worst. By exploiting this vulnerability, attackers can inject data traffic that is used for monitoring and control of industrial equipment. As an example, electrical substations can wrap protocols such as DNP3, IEC-101 or IEC-104 in encrypted TETRA to have SCADA systems communicate with remote terminal units (RTUs) over a wide area network (WAN). Decrypting this traffic and injecting malicious traffic allows an attacker to achieve denial of control/view or manipulation of control/view, thus performing dangerous actions such as opening circuit breakers in electrical substations, which can lead to blackout events similar to the impact of the Industroyer malware.
Based on open-source intelligence, such as customer testimonials and tender documents, one can find confirmed TEA1 users at major airports, harbors, railway operators, power transmission system operators (TSOs) and distribution system operators (DSOs). In addition, since TEA1 is the only algorithm which can legally be used by operators of non-emergency service networks, unless a critical infrastructure operator uses the national emergency service network infrastructure they must use TEA1 or cleartext communications.
Since the impact of the vulnerabilities is dependent on how TETRA is used, the mitigation recommendations are as well.
Police, military and EMS
For voice and text messaging users – such as police or military forces and emergency services – the researchers recommend the following mitigation actions and compensating controls per CVE.
|CVE||Recommended Mitigation||Compensating controls|
|Update radio firmware when released.
Use end-to-end encryption.
|Renew keys frequently.
Adjust operational security (OPSEC) as needed based on comprehensive risk assessment.
|CVE-2022-24402||Use end-to-end encryption.||Consider TEA1 cleartext-equivalent and adjust OPSEC as needed|
|CVE-2022-24403||Migrate to TAA2 (long-term).||Adjust OPSEC as needed based on comprehensive risk assessment (e.g., regarding subscriber identity management).|
|CVE-2022-24400||Update radio firmware when released.
Use end-to-end encryption.
Migrate to TAA2 (long-term).
|Disable radios with unacceptable firmware update timelines.|
Critical infrastructure operators
For critical infrastructure operators using serial or IP communications over TETRA, we recommend the following:
- Deploy SCADA-to-RTU end-to-end encryption as soon as possible. While TETRA end-to-end solutions are available, these have not been publicly audited and are likely time-consuming to deploy in critical infrastructure. As such, we recommend deploying point-to-point encryption solutions on top of TETRA such as VPN tunnels and TLS terminators for IP-based systems and serial encrypters for serial systems. These solutions can be deployed transparently between SCADA gateways and RTUs.
- Consider TETRA-exposed assets as perimeter devices to be hardened. Rely on hardware and native hardening capabilities provided by each vendor for defense-in-depth, but also consider general recommendations such as changing/rotating credentials, disabling unused services, and adopting secure configurations.
- Segment the network to prevent lateral movement from/to TETRA-exposed assets. Since those assets should be considered perimeter devices, it is important to limit communications from/to them as much as possible, possibly only to a limited list of trusted peers.
- Monitor the relevant networks with TETRA-exposed assets. Even after a network is well-segmented (or during the segmentation project, which typically can take months) it is crucial to use OT-aware deep packet inspection solutions to monitor device communication. Such solutions can alert whenever communications are known to be malicious or look suspicious and could indicate an attack.
Once again, proprietary encryption is found to be intentionally or unintentionally weak, and a piece of critical infrastructure that has been relied upon for nearly 30 years can no longer be considered secure.
Beyond the individual vulnerabilities and their mitigations, there are three main points that this research highlights, especially for critical infrastructure asset owners:
- There are many potential blind spots on your network and in your risk assessment. The typical OT security discussion still revolves around IT-OT convergence, the issues it brings in terms of increased connectivity and how to segment IT from OT networks or patch OT devices. While that is all-important for those starting an OT security journey, there are many other potential initial access, lateral movement and impact vectors that are rarely discussed. For instance, in our Deep Lateral Movement work, we discussed how some serial or radio devices should be treated as important perimeters. Diving deeper into just the wireless/radio world, there has been research showing vulnerabilities on 900MHz radios, pagers, WirelessHART, ISA 100.11a, ZigBee chips and, more recently, wireless gateways/routers. All these specific devices, protocols and connections need to be assessed, hardened, segmented and monitored. It’s not enough to segment the IT and OT network and believe your organization is secure.
- If a small team of researchers can find this, state-sponsored actors are likely aware of these issues. When many people think of some of the attack vectors mentioned in the first point, they tend to consider those too difficult to achieve. TETRA:BURST was found by three researchers with limited funding, and that should make you think about several things.
- First, since at least one of the vulnerabilities is an intentional backdoor (an issue that has plagued many telecom standards from the 1990s), this issue was already known to state actors. Likely, this knowledge was initially limited to those involved in its design, but given the wide range of countries with TETRA vendors in possession of the secret specifications and the even wider range of countries to whom equipment has been exported over the years, pre-existing capabilities for this issue likely exist among state actors.
- Second, there are still other proprietary standards, protocols, solutions and devices that have not been analyzed and may suffer from similar issues, which may or may not be known to some potential attackers. We still tend to associate 0-days and sophisticated attacks with state actors, but even ransomware groups have started hoarding 0-days and planning long-term exploitation campaigns to achieve their (financial) goals. If the threat landscape faced by your organization includes state-sponsored actors or sophisticated criminal actors, you should factor attack vectors such as this into your risk assessments.
- On the bright side, wireless/radio attacks have a natural limiting factor: distance. These attacks need some form of physical proximity to be carried out. In the case of a WAN standard like TETRA, this proximity may be in the range of kilometers for passive attacks. Shorter distances for active attacks can also be covered by mobile SDR-based attack platforms, such as drones or vehicle-mounted. Nevertheless, these issues are different from vulnerable internet-facing systems in that they require some degree of physical proximity at least once.
Considering this last point and the fact that there are no signs of immediate mass exploitation of these issues, we want to stress the fact that organizations do not need to panic. However, considering how difficult, expensive and time consuming it is to overhaul communications infrastructure, it is crucial for organizations to at least factor these issues into their risk assessments, roll out mitigations or compensating controls where merited, and incorporate the evaluation of these risks into their long-term infrastructure planning and communications technology choices.