|
|
|
|
|
|
|
ETSI C2000 → BURST →
Update 9 August 2023 —
The full source code of the reverse-engineered
TETRA encryption algorithms
plus a paper written by the Midnight Blue researchers are now available
➤ More
Digital two-way trunking radio network
TETRA, the abbreviation of Terrestrial Trunked Radio 1
is a standard for digital two-way trunked radio networks,
set in 1995 by the
European Telecommunications Standards Institute
(ETSI). It is used in more than 100 countries by public safety services
(police, ambulance, fire),
transport services, railways, intelligence services and the military.
It is often known under different national names
like C2000
(Netherlands), ASTRID (Belgium) [2], BOSNET (Germany) and AIRWAVE (UK).
TETRA is the most widely used
police radio communications system outside the United States (US).
Like similar standards, such as
P25, DMR and TETRAPOL, it can be used for voice and data transmission.
TETRA uses time-division multiple access (TDMA) with four 'slots'
on a single carrier, with 25 kHz carrier spacing.
For speech, the ACELP codec is used, which is an improved variant of LPC.
In addition, voice and data can be secured by adding optional encryption.
On 24 July 2023, researchers from the Dutch security firm
Midnight Blue revealed several
weaknesses in the encryption and authentication algorithms,
and proved that these flaws were exploitable.
Among the discovered vulnerabilities was a deliberately
created backdoor. 2
The disclosure of these vulnerabilities is known under the project
name TETRA:BURST.
➤ More
|
 |
-
Formerly known as Trans-European Trunked Radio
-
Whether or not it should be called a backdoor is a semantic
discussion. ➤ More
|
|
TETRA supports point-to-point as well as point-to-multipoint transmissions.
Data transmission is supported, albeit at low data rates.
The following modes of operation are supported:
|
TMO Trunked Mode Operation DMO Direct Mode Operation
|
The map below shows in which countries TETRA is used, based on open sources.
These are police forces, military and intelligence services,
and other critical infractructure such as airports, harbours,
power plants, etc. Scroll down for a more detailed overview of each user category.
|
| |
Worldwide penetration of the TETRA standard for two-way radio networks
|
|
The map below shows the countries in which the police forces and
affiliated services use TETRA. This is the vast majority of public
safety services in the world. In many cases
the networks are known under different (local) names. Below the map
are some examples of networks used by the police and other emergency
services throughout Europe, with their network names [10].
|
| |
TETRA used by police and affiliated services
|
|
|
|
Sweden Rakel Denmark SINE Finland VIRVE Portugal SIRESP
|
|
|
Military & Intelligence services
|
|
|
The map below shows in which countries TETRA is used by one or more military
or intelligence organisations for primary, fallback or interfacing
communications, based on open sources [10].
|
| |
TETRA used by military and/or intelligence services
|
|
The map below shows the countries in which TETRA is used in critical
infrastructure, such as airports, harbours, train stations, power plants,
chemical factories, large scale industry, etc. In most cases, TETRA is used
for voice communication. In addition, TETRA is used for data traffic in
SCADA WAN systems, such as
substation & pipeline control and railway signalling [10].
|
| |
TETRA used in critical infrastructure
|
|
TETRA can be secured cryptographically by means of a set of proprietary
encryption algorithms, which are available to a limited number of parties
under strict NDA.
As the algorithms are secret, they have not been subjected to public
security research. This is generally regarded a violation of
Kerckhoffs' Principle [7].
The secret algorithms were developed and evaluated by international experts,
commissioned by ETSI-SAGE — the
Security Algorithms Group of Experts
at ETSI.
The following algorithm suites are known:
|
- TETRA Authentication Algorithm
- TETRA Encryption Algorithm
|
TAA1 is a suite of cryptographic primitives used for authentication,
key derivation and Over The Air Re-keying (OTAR). It is based on the
HURDLE II block cipher, developed in 1996 at the Royal Holloway University of
London (UK) and evaluated by the other ETSI-SAGE members [5].
TEA is an encryption suite 1 for Air Interface Encryption (AIE) that
consists of four stream ciphers, each with an 80-bit key length, with a varying
level of security. The following TEAs are known:
|
- Commercial use, restricted export
- European emergency services
- Extra-European emergency services
- Commercial use, restricted export
|
The TEA1 and TEA2 algorithms were developed between January 1996
and February 1997 at Philips Crypto BV in the
Netherlands, and were evaluated by the other ETSI-SAGE members [4].
Once approved, the TAA and TEA algorithms were imlemented as ETSI
standards [4][5].
One of the people who worked on TEA1 and TEA2 on behalf of
Philips Crypto, was Cees Jansen [11].
The TEA2 algorithm was intended for use by emergency services within
Europe and is arguably the most secure one in the TEA suite.
The TEA1 algorithm is very similar, but as it was intended for commercial
use and export, its key had to be weakened as part of the specifications.
TEA3 was developed for use by emergency services outside Europe
and is very similar to TEA2.
In addition, optional vendor-specific end-to-end encryption (E2EE)
can be deployed on top of AIE, for example AES256, which can be added to
some TETRA devices in the form of a SIM card.
|
-
Not to be confused with Tiny Encryption Algorithm.
|
The diagram below shows which parts of the frequency spectrum are reserved
for use of TETRA equipment. Three segments are assigned in the 400 MHz
band: 380-400 MHz, 410-430 MHz and 440-470 MHz. In the first segment,
two ranges are reserved for the European emergency services: 380-385 MHz
for the mobile stations (uplink), and 390-395 MHz for the base stations
(downlink). The frequencies are harmonised throughout Europe to allow
cross-border operation.
The remaining two segments 410-430 MHz and 440-470 MHz, plus two smaller
segments (870-876 MHz and 915-921 MHz) are also used for TETRA, but
not exlusively. They are shared with other services, such as PMR, PAMR
and LTE.
|
|
A hint that the TEA1 algorithm might have a weakness, can be found
in a diplomatic cable from 2006
– published by WikiLeaks –
about the export of TETRA equipment from Italy to Iran [8].
In the event, the Italian company Finmeccanica
(now: Leonardo)
wanted to export TETRA equipment with TEA1 encryption to Iran, and
contacted the American Embassy in Rome (Italy) to seek for approval.
In the cable, Finmeccanica's Head of Public Affairs Camillo Pirozzi,
is quoted saying:
|
4. (SBU) Comparing the TETRA technology to that found in a GSM cell phone,
Pirozzi asserted repeatedly that "TETRA is absolutely not included in
Wassenaar"...
|
In this context, Wassenaar refers to the Wassenaar Arrangement
on Export Controls for Conventional Arms and Dual-Use Goods and
Technologies, established on 12 July 1996 in Wassenaar (Netherlands)
[9]. A little further in the cable, Pirozzi claims:
|
Pirozzi concluded by noting that the encryption of the TETRA radio system,
less than 40-bits, is below the level of encryption that is considered for
military use.
|
This suggests that any encryption with less than 40 bits is not
considered a weapon, and confirms that TEA1 is indeed less than
40 bits.
|
-
SBU = Sensitive But Unclassified.
|
In July 2023, researchers of the Dutch security firm
Midnight Blue revealed
that they had found five vulnerabilities in the TETRA protocol set, two
of which are deemed critical. One of these critical vulnerabilities
appears to be a backdoor, that was probably inserted intentionally.
As the TAA and TEA algorithms are secret, they have never been
publicly disclosed and, hence, have never been subjected to in-depth
scrutiny by the public. In order to find any vulnerabilities in the
code, the researchers therefore first had to reverse-engineer the
TAA and TEA algorithms.
The reverse-engineering project — RE:TETRA — began
on 1 January 2020, after Midnight Blue
had received funding from the
non-profit NLnet foundation, as part of its
European Commission supported NGI0 PET fund.
Once the software had been extracted and reverse-engineered, the researchers
were able to analyse the code with the intention to find flaws
and ultimately mount an attack. Over the course of more than one year,
the following vulnerabilities were discovered:
|
- ★★★★★ — Dependence on network time
- ★★★★★ — Backdoor in TEA1
- ★★★★☆ — Lack of ciphertext authentication
- ★★★☆☆ — Weak anonymisation
- ★☆☆☆☆ — DCK can be set to 0
|
The first two are deemed critical.
The vulnerabilities were shared with the Dutch NCSC (NCSC-NL)
in December 2020 and were made public on 24 July 2023. In the meantime,
equipment suppliers were given the ability to develop updates or
other mitigations for the reported issues.
➤ More about the TETRA:BURST vulnerabilities
|
TETRA equipment is also used by radio amateurs (HAMs) on frequencies that
have been assigned to the Amateur Radio Service. Note that the use of
encrypted communication is not allowed on amateur frequencies.
Instead, all TETRA radios must be programmed with CLEAR firmware.
In some countries, amateur TETRA repeaters are operational in DMO
and/or TMO modes.
Some useful links:
|
Network TETRA Standard ETSI, 1995 Access TDMA, 4 slots Modulation Π/4 DQPSK Spacing 25 kHz Duplex 10 MHz Ouput 1, 3, 10 or 30 Watt Codec ACELP, 7.2 kb/s Data see below Frequency see below
|
Public safety 308-385 MHz (uplink) Civil use 385-390 MHz Public safety 390-395 MHz (downlink) Civil use 395-400 MHz Civil use 410-430 MHz Amateur 430-440 MHz Civil use 440-470 MHz Civil use 870-876 MHz Civil use 915-921 MHz
|
Clear 7.2, 14.4, 21.6, 28.8 kb/s Secure 4.8, 9.6, 14.4, 19.2 kb/s Secure+ 2.4, 4.8, 7.2, 9.6 kb/s
|
- Airbus
- Ангстрем (Angstrem)
- Cobham
- Damm
- Dimetra
- Hytera
- Finmeccanica
- Frequentis
- Leonardo
|
- Motorola
- Piciorgros
- Rohde & Schwarz Bick
- Rohill
- Sepura
- Simoco
- T-Systems
- Thales
- Thales
|
- Wikipedia, Terrestrial Trunked Radio
Visited 27 July 2023.
- Wikipedia, ASTRID
Visited 27 July 2023.
- TETRA:BURST
Midnight Blue, 24 July 2023.
➤ More
- Cees Jansen, TEA co-developer at Philips Crypto BV
Personal correspondence.
Crypto Museum, July 2023.
- Royal Holloway, University of London, Impact case study (REF3b)
Design of a block cipher used in TETRA secure radio.
REF2014. Undated but probably 2014.
- Wikipedia, Algebraic code-excited linear prediction
Retrieved 5 AUgust 2023.
- Wikipedia, Kerckhoffs's principle
Retrieved 5 August 2023.
- Finmeccanica still pursuing radio contract with Iranian Police
Cable from Italy Rome to Joint Chiefs of Staff, Secretary of State.
B. ROME 01824, 18 July 2006. Obtained via WikiLeaks.
- Wikipedia, Wassenaar Arrangement
12 July 1996. Retrieved 7 August 2023.
- All Cops Are Broadcasting, Breaking TETRA after decades in the shadows
Presentation by Jos Wetzels, Carlo Meijer and Wouter Bokslag at Black Hat 2023.
Midnight Blue, 9 August 2023
- Cees Jansen, De Crypto van C2000
2 August 2023.
|
|
|
|
Any links shown in red are currently unavailable.
If you like the information on this website, why not make a donation?
© Crypto Museum. Created: Sunday 30 July 2023. Last changed: Thursday, 01 February 2024 - 10:32 CET.
|
|
|
|
|
