Cybersecurity experts have uncovered significant flaws in encryption systems used by police and military radios globally, potentially allowing malicious actors to intercept secure communications.
Background and context
In 2023, Dutch security researchers from Midnight Blue unearthed an intentional backdoor in TETRA (Terrestrial Trunked Radio) encryption algorithms used in radios deployed by law enforcement, intelligence agencies, and military organizations worldwide. This discovery led the European Telecommunications Standards Institute (ETSI) to recommend users implement additional end-to-end encryption (E2EE) for sensitive communications.
The same research team has now identified that at least one version of the TCCA-endorsed E2EE solution contains similar flaws. The encryption algorithm analyzed starts with a 128-bit key but reduces it to just 56 bits before encrypting data, making it vulnerable to unauthorized access. Additionally, researchers discovered a second vulnerability that could allow attackers to send deceptive messages or replay legitimate communications.
The TETRA standard includes four encryption algorithms (TEA1, TEA2, TEA3, TEA4) designed for different security levels based on the target customer. All use 80-bit keys, but TEA1 was found to reduce to just 32 bits, enabling researchers to crack it in under a minute. The key reduction appears to be implemented to comply with export control regulations for encryption sold to customers outside Europe.
Global impact
TETRA radios are extensively employed by law enforcement agencies in Belgium, Scandinavian nations, Eastern European countries, and Middle Eastern nations including Iran, Iraq, Lebanon, and Syria. Defense ministries in Bulgaria, Kazakhstan, and Syria, along with intelligence services from Poland, Finland, Lebanon, and Saudi Arabia also employ these systems. However, it remains unclear how many entities use the vulnerable E2EE implementation.
Disclosure challenges
The research reveals a concerning lack of transparency regarding security limitations. While some manufacturers include vulnerability information in brochures, others only address it in internal communications or don't mention it at all. A leaked product bulletin indicated that encryption key length is "subject to export control regulations," but it's uncertain whether end users are properly informed about potential security risks.
The findings will be presented at the BlackHat security conference, highlighting ongoing challenges in securing critical communications infrastructure used by law enforcement and military organizations worldwide.