Researchers Find ‘Backdoor’ in TETRA Encrypted Police and Military Radios

JvdK

JvdK

Member
Joined
Apr 11, 2023
Messages
119
Location
Zeist, The Netherlands
For those who have high hopes for decrypting TETRA:

this breach in the encryption of TETRA TEA1 was discovered by 2 dutch IT technicians over 1 year ago. Instead of spreading their discovery in the open, they informed the security services about this backdoor and kept it quiet. During this year users of TEA1 could install the necessary updates to their system and close this backdoor.


For those who can read a newspaper article in Dutch (or can use Google translate):


explanation by Midnight Blue (in English):

TETRA:BURST | Midnight Blue

Midnight Blue will reveil all technical details at Black Hat USA (Las Vegas) on August 9th, 2023
 
R

radionx

Member
Joined
May 31, 2022
Messages
183
"Well, you're wrong. A couple of systems is far from "taking off", technically or anecdotally."

MPT1327 is more widespread than Tetra in the US if i'm not mistaken.

Better keep it that way.
 
adsbgreenock

adsbgreenock

Member
Joined
Sep 11, 2021
Messages
118
Location
Scotland UK
Hi there , Its funny how these "backdoors" or exploits are always revealed whenever the authorities have leveled up and moved on to another part of the spectrum , dont you guys think?

Just as the ESN or Emergency Services Network is about to be rolled out by phone network provider EE, here in the UK as an example

I think its the usual story though, when the military , police and other blue light authorities are finished playing with a certain mode or part of the spectrum , it usually opens things up for joe public to use or access.

Regards
 
S

steve9570

Member WSAG-457 -KB1-KZW- KCP-2441 CB-WA1-BZG
Premium Subscriber
Joined
Sep 6, 2007
Messages
227
Location
Natick Ma
There is a large story on this in this months WIRED magazine. can be seen on line also Wired.com
 
batdude

batdude

Florida Db Admin / Florida Forum Moderator
Moderator
Joined
Jul 29, 2002
Messages
1,574
Location
East Central, Florida
mikenet said:
If anyone is interested, here‘s that paper on DVP (non-XL):

https://www.cryptomuseum.com/crypto/motorola/saber/files/vulcan_201409.pdf
Click to expand...
hey, i got a shout out as a provider of sparse and/or inaccurate info in that paper

it was 1995. info on Securenet stuff was really hard to find at the time... Reference 7 ... LOL and most everyone was still on 28.8k dialup. most of the info for my article was from the various books / manuals at the local Moto shop....

 
RFI-EMI-GUY

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
7,386
RayAir said:
TEA1 and 4 are approved for export.
90's proprietary encryption.
Not surprised at all.

Reminds me of Motorola DVP. Has a very large key variable on paper but turns out it is linear and after analysis there were only 255 (approximately) possible keys.

I'd be highly suspect of any proprietary encryption:
Motorola DVI-XL, DVP-XL
GE/Macom VGE

I would love to see an analysis on DVP-XL and VGE.

Thankfully today open encryption standards are used (AES).
Click to expand...
Do you have a link to the report saying DVP has only 255 keys?
 
RFI-EMI-GUY

RFI-EMI-GUY

Member
Joined
Dec 22, 2013
Messages
7,386
batdude said:
hey, i got a shout out as a provider of sparse and/or inaccurate info in that paper

it was 1995. info on Securenet stuff was really hard to find at the time... Reference 7 ... LOL and most everyone was still on 28.8k dialup. most of the info for my article was from the various books / manuals at the local Moto shop....

Click to expand...
I read that twice and still trying to wrap my head around the vulnerability. I agree the silence dotting pattern is a known plaintext subject to attack. Still can't understand why the authors in 2014 could not obtain a pair of working DVP/Vulcan radios as the ebay is your friend...
 
U

Ubbe

Member
Joined
Sep 8, 2006
Messages
9,630
Location
Stockholm, Sweden
Marawan said:
anyone implemented something yet ?
Click to expand...
There's wasn't much new info available. TEA2 are still safe that perhaps are used in 75% of Tetra systems and 20% are in the clear so about 5% uses TEA1 or TEA3. They had to manipulate a TEA1 radio and system to think it had to run in cripple mode and then only use half the key length in fall back mode. Then they could brute force the key. They had to buy a Tetra basestation to do their experiments on. So no new info that can be used to monitor TEA2.

/Ubbe
 
M

Marawan

Member
Joined
May 2, 2022
Messages
32
Location
UAE
Ubbe said:
There's wasn't much new info available. TEA2 are still safe that perhaps are used in 75% of Tetra systems and 20% are in the clear so about 5% uses TEA1 or TEA3. They had to manipulate a TEA1 radio and system to think it had to run in cripple mode and then only use half the key length in fall back mode. Then they could brute force the key. They had to buy a Tetra basestation to do their experiments on. So no new info that can be used to monitor TEA2.

/Ubbe
Click to expand...
How about tea 1
Does it require a basestaion
Can this attack implemented on offline recordings Iike what is done with Dmr and p25?
 
RayAir

RayAir

Member
Joined
Dec 31, 2005
Messages
1,946
RFI-EMI-GUY said:
I read that twice and still trying to wrap my head around the vulnerability. I agree the silence dotting pattern is a known plaintext subject to attack. Still can't understand why the authors in 2014 could not obtain a pair of working DVP/Vulcan radios as the ebay is your friend...
Click to expand...
Looks like it's not letting me attach it. Let me look later for a link.
 
You must log in or register to reply here.

Similar threads

M
2024 Hyundai Air and Sea Show in Miami Beach - B-2 Bomber
Replies
0
Views
730
mickeymarkoff
M
mrscanner2008
  • Locked
backdoor in TETRA
Replies
1
Views
940
buddrousa
buddrousa
AK4FD
  • Locked
South Florida Encryption!
Replies
4
Views
3K
mikewazowski
mikewazowski
Hooligan
  • Locked
A Long Time Ago in what seemed to be a Galaxy far, far away...
Replies
11
Views
4K
Hooligan
Hooligan
D
  • Locked
The Great Unofficial Radioreference FRS/GMRS/MURS Fact Sheet
2 3
Replies
43
Views
79K
RFI-EMI-GUY
RFI-EMI-GUY
Top