Over the course of our research project regarding the extraction and initial cryptanalysis of the TETRA cryptographic primitives, we additionally uncovered several vulnerabilities in both TETRA equipment as well as components used by other vendors and sectors.
This page contains a listing of those vulnerabilities. Slide materials and detailed reports will be added after our DEF CON talk.
TETRA was standardized by the European Telecommunications Standards Institute (ETSI) in 1995, is used in more than 100 countries, and is the most widely used police radio communication system outside the U.S. Like its North American counterpart P25 and other standards such as DMR and TETRAPOL, TETRA can be used for voice and data transmission, including in a machine-to-machine capacity.
At its core, TETRA security relies a set of secret, proprietary cryptographic algorithms which are only distributed under strict Non-Disclosure Agreement (NDA) to a limited number of parties. These algorithms consist of the TETRA Authentication Algorithm (TAA1) suite for authentication and key distribution purposes, and the TETRA Encryption Algorithm (TEA) suite for Air Interface Encryption (AIE). The TEA suite consists of four stream ciphers with 80-bit keys: TEA1 to TEA4, where TEA1 and TEA4 were intended for commercial use and restricted export scenarios while TEA2 and TEA3 were intended for use by European and extra-European emergency services respectively. In addition, optional, vendor-specific end-to-end encryption (E2EE) solutions can be deployed on top of AIE.
The main goal of project RE:TETRA was to obtain the cryptographic primitives underpinning the security of TETRA, to perform preliminary cryptanalysis on these primitives, and to publish all our findings. Our research on TETRA has lead to the identification of a series of vulnerabilities, known collectively as TETRA:BURST.
Midnight Blue was granted funding by the non-profit NLnet foundation as part of its European Commission supported NGI0 PET fund. On this page, we publish vulnerabilities identified that are not directly related to the TETRA standard, but were either instrumental in achieving our research goals, or simply encountered during technical analysis.
Texas Instruments OMAP-L138
Critical
SK_LOAD timing side channel during AES module decryption
Key recovery
Texas Instruments OMAP-L138
Critical
Stack overflow on SK_LOAD signature length field
Code execution in TEE
Texas Instruments OMAP-L138
Critical
Flawed SK_LOAD module authenticity check
Code execution in TEE
Motorola MTM5000 series
High
Format string vulnerability in AT+CTGL command
Code execution
Motorola MTM5000 series
Medium
Weak PRNG entropy source used for authentication challenge generation
Vulnerable to CVE-2022-24400
Motorola MTM5000 series
Critical
Multiple missing pointer validation checks in trusted execution module
Code execution in TEE
Motorola EBTS/MBTS
Medium
Motorola MBTS Site Controller accepts hard-coded backdoor password
Unauthorized access
Motorola EBTS/MBTS
Medium
Motorola MBTS Base Radio accepts hard-coded backdoor password
Unauthorized access
Motorola EBTS/MBTS
High
Motorola MBTS Site Controller fails to check firmware update authenticity
Code execution
Motorola EBTS/MBTS
High
Motorola MBTS Base Radio fails to check firmware authenticity
Code execution
Motorola EBTS/MBTS
High
Motorola MBTS Site Controller drops to debug prompt on unhandled exception
Privilege escalation
We have spent over two and a half year on our TETRA research, including a coordinated disclosure process that lasted over one and a half year. We will fully disclose our research results and present our work at various conferences throughout the year. Below you will find an updated list of the conferences on (aspects of) the TETRA:BURST vulnerabilities.
August, 9th
All cops are broadcasting: breaking TETRA after decades in the shadows
Las Vegas
August, 13th
TETRA tour de force: Jailbreaking digital radios and base stations for fun and secrets
Las Vegas
TBD
All cops are broadcasting: Obtaining the secret TETRA primitives after decades in the shadows
Berlin
Slides of our DEF CON talk are available below. Additional materials, such as a whitepaper on the RE:TETRA process and a link to our github repository, will be added soon after.
These vulnerabilities affect the security offered by the products in which they were encountered. In the case of the MTM5000 series, an attacker may gain code execution and may ultimately extract key material from the radio. The EBTS/MBTS allow an attacker to extract key material and/or plant a persistent backdoor in a TETRA base station. The OMAP-L138 vulnerabilities allow an attacker to gain code execution in the Trusted Execution Environment, nullifying any added security benefits offered by it.
.jpg)
Motorola released a patch for the MTM5000 series that is said to resolve the issues listed on this page. We are not aware of mitigations by Texas Instruments (which should be a mask ROM update for the SoC) or for the Motorola EBTS/MBTS base stations, and recommend to inquire directly with the manufacturers.
While the NCSC’s CVD guidelines stipulate a 6-month period for hardware and embedded systems vulnerabilities. We have maintained (and exceeded) this recommended embargo period in order to allow manufacturers to communicate the findings to their customers and/or develop mitigatings or compensating controls.
01-01-2021
Started work on the RE:TETRA project
04-03-2022
Reported Motorola MTM5000 series vulnerabilities to NCSC
Technical call with Motorola
30-03-2022
Reported TI OMAP-L138 vulnerabilities to NCSC
31-03-2022
Additional technical call with Texas Instruments
24-01-2023
Reported Motorola EBTS/MBTS vulnerabilities to NCSC
22-02-2023
Additional technical call with Motorola
09-08-2023
Public disclosure of technical details of the vulnerabilities
