Dutch researchers have identified significant vulnerabilities in Terrestrial Trunked Radio (TETRA), a radio technology used globally to control critical infrastructure, including power networks, gas pipelines, and trains. These security flaws could potentially be exploited to cause widespread disruption.
Uncovered Vulnerabilities in Global Infrastructure
The vulnerabilities are embedded within the TETRA communication system, a standard radio technology similar to the Global System for Mobile Communications (GSM) for mobile telephony.
TETRA is commonly utilized within critical infrastructure systems, such as the Rotterdam port, public transport companies GVB, RET, and HTM in the Netherlands, various airports, and even C2000, the communication system of the Dutch police, fire brigade, ambulance services, and parts of the Ministry of Defense.
Internationally, the TETRA system is used to control high-voltage distribution boxes, oil and gas pipelines, and railway security. Countries like Germany, France, and Spain, which depend on TETRA for their infrastructure, are now potentially at risk of sabotage.
Significance of the Vulnerabilities
“The findings of this research are severe,” stated Bart Jacobs, Professor of Computer Security at Radboud University Nijmegen. “It’s serious for the government, but also for businesses. It involves vital infrastructure that can be affected by severe attacks.”
Jos Wetzels of cybersecurity company Midnight Blue, one of the researchers, warns that malevolent actors could, with relative ease, send malicious commands to high-voltage stations, potentially disabling the power supply to large parts of a country.
| CVE | Description | Severity | Impact | Adversary |
|---|---|---|---|---|
| CVE-2022-24401 | The Air Interface Encryption (AIE) keystream generator relies on the network time, which is publicly broadcast in an unauthenticated manner. This allows for decryption oracle attacks. | Critical | Loss of confidentiality / authenticity | Active |
| CVE-2022-24402 | The TEA1 algorithm has a backdoor that reduces the original 80-bit key to a key size which is trivially brute-forceable on consumer hardware in minutes. | Critical | Loss of confidentiality / authenticity | Passive / active |
| CVE-2022-24404 | Lack of ciphertext authentication on AIE allows for malleability attacks. | High | Loss of authenticity | Active |
| CVE-2022-24403 | The cryptographic scheme used to obfuscate radio identities has a weak design that allows attackers to deanonymize and track users. | High | User deanonymization | Passive |
| CVE-2022-24400 | A flaw in the authentication algorithm allows attackers to set the Derived Cypher Key (DCK) to 0. | Low | Loss of authenticity / partial loss of confidentiality | Active |
Risk Scenario
The threat to critical infrastructure in the Netherlands is relatively limited compared to the rest of the world, according to Wetzels. However, the risks for the Netherlands involve criminals eavesdropping on the communication of port personnel and security to facilitate the extraction of containers or disrupt emergency services communication.
Law Enforcement Networks At Risk
A second major vulnerability in TETRA could be exploited to crack the C2000 network of emergency services. This can still be tapped by attackers, such as criminal organizations and malevolent foreign governments, warn the researchers.
Backdoor
What the researchers also noticed is that one of the vulnerabilities in TETRA was deliberately introduced, Bokslag explains: “It’s just a backdoor, the technology is designed in such a way that it is easy to crack and that seems to have been kept under wraps for decades.
The question is who knows all this. We are only three researchers with a limited budget, but there are enough attackers who have both the knowledge and the money to exploit this.”
According to Meijer, the research underlines the need to always make cryptography – the technology behind encryption – public. That may sound strange: if it is public, anyone can view it and crack it – and thus make it safer. “If one party keeps it a secret, researchers can’t see it and, like TETRA, vulnerabilities persist quietly for decades.”
Jacobs adds: “In short, TETRA is old stuff that has been used for far too long. That is a bad thing. Not only from the suppliers of this type of system, but also from the buyers such as the government and large companies. They should have been more critical and simply purchased open systems instead of these types of secret systems.”
Resources
