Work with us
August, 2023

RE:TETRA CVEs

Introduction

Over the course of our research project regarding the extraction and initial cryptanalysis of the TETRA cryptographic primitives, we additionally uncovered several vulnerabilities in both TETRA equipment as well as components used by other vendors and sectors.

This page contains a listing of those vulnerabilities. Slide materials and detailed reports will be added after our DEF CON talk.

Background

TETRA was standardized by the European Telecommunications Standards Institute (ETSI) in 1995, is used in more than 100 countries, and is the most widely used police radio communication system outside the U.S. Like its North American counterpart P25 and other standards such as DMR and TETRAPOL, TETRA can be used for voice and data transmission, including in a machine-to-machine capacity.

At its core, TETRA security relies a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.

Project RE:TETRA

The main goal of project RE:TETRA was to obtain the cryptographic primitives underpinning the security of TETRA, to perform preliminary cryptanalysis on these primitives, and to publish all our findings. Our research on TETRA has lead to the identification of a series of vulnerabilities, known collectively as TETRA:BURST.

Midnight Blue was granted funding by the non-profit NLnet foundation as part of its European Commission supported NGI0 PET fund. On this page, we publish vulnerabilities identified that are not directly related to the TETRA standard, but were either instrumental in achieving our research goals, or simply encountered during technical analysis.

The RE:TETRA vulnerabilities

CVE

Product

Severity

Description

Effect

Texas Instruments OMAP-L138

Critical

SK_LOAD timing side channel during AES module decryption

Key recovery

Texas Instruments OMAP-L138

Critical

Stack overflow on SK_LOAD signature length field

Code execution in TEE

Texas Instruments OMAP-L138

Critical

Flawed SK_LOAD module authenticity check

Code execution in TEE

Motorola MTM5000 series

High

Format string vulnerability in AT+CTGL command

Code execution

Motorola MTM5000 series

Medium

Weak PRNG entropy source used for authentication challenge generation

Vulnerable to CVE-2022-24400

Motorola MTM5000 series

Critical

Multiple missing pointer validation checks in trusted execution module

Code execution in TEE

Motorola MTM5000 series

Medium

Unconfigured memory protection modules

Code execution

Motorola EBTS/MBTS

Medium

Motorola MBTS Site Controller accepts hard-coded backdoor password

Unauthorized access

Motorola EBTS/MBTS

Medium

Motorola MBTS Base Radio accepts hard-coded backdoor password

Unauthorized access

Motorola EBTS/MBTS

High

Motorola MBTS Site Controller fails to check firmware update authenticity

Code execution

Motorola EBTS/MBTS

High

Motorola MBTS Base Radio fails to check firmware authenticity

Code execution

Motorola EBTS/MBTS

High

Motorola MBTS Site Controller drops to debug prompt on unhandled exception

Privilege escalation

Publications and conferences

We have spent over two and a half year on our TETRA research, including a coordinated disclosure process that lasted over one and a half year. We will fully disclose our research results and present our work at various conferences throughout the year. Below you will find an updated list of the conferences on (aspects of) the TETRA:BURST vulnerabilities.

Date

Title

Venue

Location

August, 9th

All cops are broadcasting: breaking TETRA after decades in the shadows

Las Vegas

August, 11th

All cops are broadcasting: TETRA under scrutiny

Anaheim

August, 13th

TETRA tour de force: Jailbreaking digital radios and base stations for fun and secrets

Las Vegas

TBD

All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows

Berlin

October, 3rd

Kerckhoffs’ revenge

The Hague

November, 14th

Fences don't stop radio waves: analyzing & breaking TETRA for OT

Copenhagen


Slides of our DEF CON talk are available below. Additional materials, such as a whitepaper on the RE:TETRA process and a link to our github repository, will be added soon after.

Impact

These vulnerabilities affect the security offered by the products in which they were encountered. In the case of the MTM5000 series, an attacker may gain code execution and may ultimately extract key material from the radio. The EBTS/MBTS allow an attacker to extract key material and/or plant a persistent backdoor in a TETRA base station. The OMAP-L138 vulnerabilities allow an attacker to gain code execution in the Trusted Execution Environment, nullifying any added security benefits offered by it.

Mitigations

Motorola released a patch for the MTM5000 series that is said to resolve the issues listed on this page. We are not aware of mitigations by Texas Instruments (which should be a mask ROM update for the SoC) or for the Motorola EBTS/MBTS base stations, and recommend to inquire directly with the manufacturers.

Coordinated Vulnerability Disclosure (CVD)

While the NCSC’s CVD guidelines stipulate a 6-month period for hardware and embedded systems vulnerabilities. We have maintained (and exceeded) this recommended embargo period in order to allow manufacturers to communicate the findings to their customers and/or develop mitigatings or compensating controls.

01-01-2021

Started work on the RE:TETRA project

04-03-2022

Reported Motorola MTM5000 series vulnerabilities to NCSC
Technical call with Motorola

30-03-2022

Reported TI OMAP-L138 vulnerabilities to NCSC

31-03-2022

Additional technical call with Texas Instruments

24-01-2023

Reported Motorola EBTS/MBTS vulnerabilities to NCSC

22-02-2023

Additional technical call with Motorola

09-08-2023

Public disclosure of technical details of the vulnerabilities