Articles

An encryption cipher baked into radio systems with a deliberate backdoor kept secret for 25 years revealed by group of researchers

An encryption cipher baked into radio systems with a deliberate backdoor kept secret for 25 years revealed by group of researchers

WIRED, A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight.

Three Dutch security analysts discovered five vulnerabilities in a European radio standard called TETRA (Terrestrial Trunked Radio), which is used in radios made by Motorola, Damm, Hytera, and others. The standard has been used in radios since the ’90s, but the flaws remained unknown because encryption algorithms used in TETRA were kept secret until now.

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities. But now it’s finally getting a public airing thanks to a small group of researchers in the Netherlands who got their hands on its viscera and found serious flaws, including a deliberate backdoor.

The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption algorithm baked into radios sold for commercial use in critical infrastructure. It’s used to transmit encrypted data and commands in pipelines, railways, the electric grid, mass transit, and freight trains. It would allow someone to snoop on communications to learn how a system works, then potentially send commands to the radios that could trigger blackouts, halt gas pipeline flows, or reroute trains.

Researchers found a second vulnerability in a different part of the same radio technology that is used in more specialized systems sold exclusively to police forces, prison personnel, military, intelligence agencies, and emergency services. The flaw would let someone decrypt encrypted voice and data communications and send fraudulent messages to spread misinformation or redirect personnel and forces during critical times.

Because TETRA is embedded in radios supplied through resellers and system integrators like PowerTrunk, it’s difficult to identify who might be using them and for what. But Caleb Mathis, a consultant with Ampere Industrial Security, conducted open source research for WIRED and uncovered contracts, press releases, and other documentation showing TETRA-based radios are used in at least two dozen critical infrastructures in the US. Mathis helped WIRED identify several electric utilities, a state border control agency, an oil refinery, chemical plants, a major mass transit system on the East Coast, three international airports that use them for communications among security and ground crew personnel, and a US Army training base.

The vast majority of police forces around the world, aside from the US, use TETRA-based radio technology, the researchers found, after conducting open source research. TETRA is used by police forces in Belgium and the Scandinavian countries, East European countries like Serbia, Moldova, Bulgaria, and Macedonia, as well as in the Middle East in Iran, Iraq, Lebanon, and Syria.

Additionally, the Ministries of Defense in Bulgaria, Kazakhstan, and Syria use it. The Polish military counterintelligence agency uses it, as does the Finnish defense forces, and Lebanon and Saudi Arabia’s intelligence service, to name just a few.

The researchers don’t know if the vulnerabilities they found are being actively exploited. But they did find evidence in the Edward Snowden leaks that indicate the US National Security Agency (NSA) and UK’s GCHQ intelligence agency targeted TETRA for eavesdropping in the past. One document discusses an NSA and Australian Signals Directorate project to collect Malaysian police communications during a climate change conference in Bali in 2007 and mentions that they obtained some TETRA collections on Indonesian security forces’ communications.

Another Snowden leak describes GCHQ, possibly with NSA assistance, collecting TETRA communications in Argentina in 2010 when tensions rose between it and the UK over oil exploration rights in a deep-sea oil field off the coast of the Falkland Islands. It describes an operation to collect high-priority military and leadership communications of Argentina and reveals that the project resulted in successful TETRA collections.

The researchers say anyone using radio technologies should check with their manufacturer to determine if their devices are using TETRA and what fixes or mitigations are available. The researchers plan to present their findings next month at the BlackHat security conference in Las Vegas, when they will release detailed technical analysis as well as the secret TETRA encryption algorithms that have been unavailable to the public until now. 

Featured





Latest Edition



Media Partner