Researchers discover backdoor in TETRA

Estimated read time 4 min read

Dutch researchers have identified significant vulnerabilities in Terrestrial Trunked Radio (TETRA), a radio technology used globally to control critical infrastructure, including power networks, gas pipelines, and trains. These security flaws could potentially be exploited to cause widespread disruption.

Uncovered Vulnerabilities in Global Infrastructure

The vulnerabilities are embedded within the TETRA communication system, a standard radio technology similar to the Global System for Mobile Communications (GSM) for mobile telephony.

TETRA is commonly utilized within critical infrastructure systems, such as the Rotterdam port, public transport companies GVB, RET, and HTM in the Netherlands, various airports, and even C2000, the communication system of the Dutch police, fire brigade, ambulance services, and parts of the Ministry of Defense.

Internationally, the TETRA system is used to control high-voltage distribution boxes, oil and gas pipelines, and railway security. Countries like Germany, France, and Spain, which depend on TETRA for their infrastructure, are now potentially at risk of sabotage.

Significance of the Vulnerabilities

“The findings of this research are severe,” stated Bart Jacobs, Professor of Computer Security at Radboud University Nijmegen. “It’s serious for the government, but also for businesses. It involves vital infrastructure that can be affected by severe attacks.”

Jos Wetzels of cybersecurity company Midnight Blue, one of the researchers, warns that malevolent actors could, with relative ease, send malicious commands to high-voltage stations, potentially disabling the power supply to large parts of a country.

CVE-2022-24401The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks.CriticalLoss of confidentiality / authenticityActive
CVE-2022-24402The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes.CriticalLoss of confidentiality / authenticityPassive / active
CVE-2022-24404Lack of ciphertext authentication on AIE allows for malleability attacks.HighLoss of authenticityActive
CVE-2022-24403The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users.HighUser deanonymizationPassive
CVE-2022-24400A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0.LowLoss of authenticity / partial loss of confidentialityActive
The TETRA:BURST vulnerabilities | source

Risk Scenario

The threat to critical infrastructure in the Netherlands is relatively limited compared to the rest of the world, according to Wetzels. However, the risks for the Netherlands involve criminals eavesdropping on the communication of port personnel and security to facilitate the extraction of containers or disrupt emergency services communication.

Law Enforcement Networks At Risk

A second major vulnerability in TETRA could be exploited to crack the C2000 network of emergency services. This can still be tapped by attackers, such as criminal organizations and malevolent foreign governments, warn the researchers.


What the researchers also noticed is that one of the vulnerabilities in TETRA was deliberately introduced, Bokslag explains: “It’s just a backdoor, the technology is designed in such a way that it is easy to crack and that seems to have been kept under wraps for decades.

The question is who knows all this. We are only three researchers with a limited budget, but there are enough attackers who have both the knowledge and the money to exploit this.”

According to Meijer, the research underlines the need to always make cryptography – the technology behind encryption – public. That may sound strange: if it is public, anyone can view it and crack it – and thus make it safer. “If one party keeps it a secret, researchers can’t see it and, like TETRA, vulnerabilities persist quietly for decades.”

Jacobs adds: “In short, TETRA is old stuff that has been used for far too long. That is a bad thing. Not only from the suppliers of this type of system, but also from the buyers such as the government and large companies. They should have been more critical and simply purchased open systems instead of these types of secret systems.”


  • This news is covered from (Link)
  • Read the full report by Midnightblue (Report)
Reza Rafati

Reza Rafati, based in the Netherlands, is the founder of An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author